New sandboxing of Connect App Iframes in Confluence and Jira

@dboyd Please post the resolution here when you come to a conclusion, for the benefit of anyone following along with the conversation, now or in the future. I’d like to see Anton’s questions answered as well, for the record if nothing else.

2 Likes

I have updated the MS Edge to the latest version and it started to work. I had 44 and latest is 84.

2 Likes

Hello,

I am asking question regarding the sandbox for bitbucket since this post was shared in the announcement for sandboxing bitbucket.

  1. How to enable connect-iframe-sandbox? There is no documentation for it
  2. We need to enable connect-iframe-sandbox on the account of the user using the app or in the developer account?

Any more guidelines about what is the allowlist and where do specify the values mentioned in the announcement? (e.g. allow-downloads, allow-forms, allow-modals, allow-popups, allow-same-origin, allow-scripts, allow-top-navigation-by-user-activation (Firefox: allow-top-navigation)).

Generally speaking, glad to see more security. Would be great if we could have real documentation about breaking changes.

Thanks.

1 Like

Hi @juli1,

You can read more about these changes here: Change notice: Sandboxing of Connect App iframes

1 Like

Thank you - I read the documentation. I do not think the documentation mentioned respond to any of the question above. Any way to have clarification to the question mentioned above? There is absolutely no linked documentation about how to test, nor even a code sample. That is a breaking change and it would be useful to have more guideline from the Atlassian staff.

Thank you.

Hi
Due to Change notice: Sandboxing of Connect App iframes

allow-downloads should be included into sandbox for Bitbucket Connect Apps,

but when I activate Change notice: Sandboxing of Connect App iframes BETA in Bitbucket Labs
I can not see it, I see
sandbox=“allow-forms allow-modals allow-popups allow-scripts allow-same-origin allow-top-navigation-by-user-activation”
so I can not download anything.

Please note, options persists in Jira and Trello.

Please advice.

Thank you.

There is no answer from the Atlassian staff.

Would it be possible to have clear guidelines with code examples for testing and show how to test this change? This is a breaking change and there is nothing other than a simple announcement. The Bitbucket announcement has absolutely no instruction whatsoever about how to test (e.g. how to enable connect-iframe-sandbox - something I do not see on my account).

Please provide instructions.

Thanks.

1 Like

If you need a workaround for the iframe restrictions: open a pop-up and start the download from there. That’s also how we were able to access the user’s microphone and camera in the Lively Recorder. :slight_smile:

You don’t want to build your app on top of such hacks, and workarounds. This is not future proof, and will break. As a user you also don’t want to see popups or popunders.

There should be a first-class support for such features. There is a ticket for fixing this problem in Atlassian Connect: [ACJIRA-2205] - Ecosystem Jira
Please vote :slight_smile:

Fully agree but I also know that the chances for tickets like these being picked up aren’t nearly high enough to not use what works right now.

2 Likes

Hi @dboyd

We’re also using window.top.location.href in our addon:

App key com.cprime.jira.plugins.surveyproject
App URL Surveys for Jira - Jira Customer Surveys | Atlassian Marketplace

Please enroll us for an extension.
Thanks, Elena, Cprime Products Team

Was fixed in BBS-146626.

I suspect that my app, Jenkins Integration for Jira, is also effected by this change. Just yesterday a user of the app informed me that links to there Jenkins instance from within Jira are not working as expected.

Before the app would in its panels also generate links to jobs and builds in Jenkins, and these links would open in a new window.
But since a couple of days all these links open with connection refused errors.

Looking into the issue is seems that the X-Frame-Options header with value sameorigin is the cause of the issue. Changing the link target from _blank to _top fixes the issue in that the links work again, but now the user is navigating away from Jira which I whether not do.

Is there a workaround available?

I also tried a redirect service endpoint but with no success.

Hi. What about allow-geolocation ? How can user location be retrieved? Regards. Mik.

Hi @Mik
Are you able to obtain the info you need from the AP.User JS API ?

Hi,

Can we have the ‘allow-popups-to-escape-sandbox’ option enabled as well? Currently, if an app opens a PDF file in a new tab, the file will not be rendered in Chrome.

Hi @becker,

Thanks for the feedback, we will need to investigate the security impact of adding the allow-popups-to-escape-sandbox value to the sandbox attribute.
I have raised a public ticket: ACJS-1197 - Investigate the impact of adding allow-popups-to-escape-sandbox value to Iframe sandbox attribute to keep track of this.

Is it possible for your app to provide a link for downloading the PDF as an alternative? As I understand, this may require a same-origin URL or blob/data.

Thanks

1 Like

Hi @SampadaSakpal ,

has there been any update on ACJS-1197? I cannot access it.

The issue has been brought to my attention since our app would like to link to an external site (Google Maps to be precise) that has a Cross-Origin-Opener-Policy HTTP header set and therefore navigation fails. As implementing this security technique becomes more widespread, it’s likely that allow-popups-to-escape-sandbox missing will lead to more and more issues with apps (both Connect and Forge) in the future.

Cheers,
Tobias

Hi @tobitheo ,

Apologies about the access to ACJS-1197, I had accidentally locked it. It should now be unlocked and available to view, please let me know if you still have trouble accessing it.

Thanks for letting us know of another use case, if it’s possible for you to add a comment to the above ticket, it would be helpful for us to understand further, including any sample code so we can replicate this issue.

Currently there has not been any update to the ticket, but it is useful to know of it’s impact from Marketplace partner perspective to help us prioritize it. I hope this will be possible once the ticket has become accessible (sorry about the lock).

Thanks,
Sampada

1 Like