New sandboxing of Connect App Iframes in Confluence and Jira

@dboyd Please post the resolution here when you come to a conclusion, for the benefit of anyone following along with the conversation, now or in the future. I’d like to see Anton’s questions answered as well, for the record if nothing else.

2 Likes

I have updated the MS Edge to the latest version and it started to work. I had 44 and latest is 84.

2 Likes

Hello,

I am asking question regarding the sandbox for bitbucket since this post was shared in the announcement for sandboxing bitbucket.

  1. How to enable connect-iframe-sandbox? There is no documentation for it
  2. We need to enable connect-iframe-sandbox on the account of the user using the app or in the developer account?

Any more guidelines about what is the allowlist and where do specify the values mentioned in the announcement? (e.g. allow-downloads, allow-forms, allow-modals, allow-popups, allow-same-origin, allow-scripts, allow-top-navigation-by-user-activation (Firefox: allow-top-navigation)).

Generally speaking, glad to see more security. Would be great if we could have real documentation about breaking changes.

Thanks.

1 Like

Hi @juli1,

You can read more about these changes here: https://developer.atlassian.com/cloud/bitbucket/connect-app-iframe-sandbox/

1 Like

Thank you - I read the documentation. I do not think the documentation mentioned respond to any of the question above. Any way to have clarification to the question mentioned above? There is absolutely no linked documentation about how to test, nor even a code sample. That is a breaking change and it would be useful to have more guideline from the Atlassian staff.

Thank you.

Hi
Due to https://developer.atlassian.com/cloud/bitbucket/connect-app-iframe-sandbox/?utm_source=alert-email&utm_medium=email&utm_campaign=bb-sandbox-iframe_EML-7721&jobid=104786071&subid=1517496078

allow-downloads should be included into sandbox for Bitbucket Connect Apps,

but when I activate Change notice: Sandboxing of Connect App iframes BETA in Bitbucket Labs
I can not see it, I see
sandbox=“allow-forms allow-modals allow-popups allow-scripts allow-same-origin allow-top-navigation-by-user-activation”
so I can not download anything.

Please note, options persists in Jira and Trello.

Please advice.

Thank you.

There is no answer from the Atlassian staff.

Would it be possible to have clear guidelines with code examples for testing and show how to test this change? This is a breaking change and there is nothing other than a simple announcement. The Bitbucket announcement has absolutely no instruction whatsoever about how to test (e.g. how to enable connect-iframe-sandbox - something I do not see on my account).

Please provide instructions.

Thanks.

1 Like

If you need a workaround for the iframe restrictions: open a pop-up and start the download from there. That’s also how we were able to access the user’s microphone and camera in the Lively Recorder. :slight_smile:

You don’t want to build your app on top of such hacks, and workarounds. This is not future proof, and will break. As a user you also don’t want to see popups or popunders.

There should be a first-class support for such features. There is a ticket for fixing this problem in Atlassian Connect: https://ecosystem.atlassian.net/browse/ACJIRA-2205
Please vote :slight_smile:

Fully agree but I also know that the chances for tickets like these being picked up aren’t nearly high enough to not use what works right now.

2 Likes

Hi @dboyd

We’re also using window.top.location.href in our addon:

App key com.cprime.jira.plugins.surveyproject
App URL https://marketplace.atlassian.com/apps/1213103/surveys-for-jira-jira-customer-surveys?hosting=cloud&tab=overview

Please enroll us for an extension.
Thanks, Elena, Cprime Products Team

Was fixed in BBS-146626.

I suspect that my app, Jenkins Integration for Jira, is also effected by this change. Just yesterday a user of the app informed me that links to there Jenkins instance from within Jira are not working as expected.

Before the app would in its panels also generate links to jobs and builds in Jenkins, and these links would open in a new window.
But since a couple of days all these links open with connection refused errors.

Looking into the issue is seems that the X-Frame-Options header with value sameorigin is the cause of the issue. Changing the link target from _blank to _top fixes the issue in that the links work again, but now the user is navigating away from Jira which I whether not do.

Is there a workaround available?

I also tried a redirect service endpoint but with no success.