I have an app which contains a list of users in a Confluence cloud instance. As part of this list I want to display the user display name and avatar. Currently the Confluence Cloud “Get user” endpoint returns the following
"profilePicture":{
"path":"/wiki/aa-avatar/557058:6b9c9931-4693-49c1-8b3a-931f1af98134",
"width":48,
"height":48,
"isDefault":false
}
This path is relative to the current Confluence instance, so in my case it becomes https://joshp.atlassian.net/wiki/aa-avatar/557058:6b9c9931-4693-49c1-8b3a-931f1af98134
However if I then want to display this image in my app, I see the following in my browser dev tools because this isn’t part of the existing iframe CSP:
[Error] Refused to load https://joshp.atlassian.net/wiki/aa-avatar/557058:6b9c9931-4693-49c1-8b3a-931f1af98134 because it does not appear in the img-src directive of the Content Security Policy.
When loading this URL externally, it actually returns a 302 redirect to https://avatar-management--avatars.us-west-2.prod.public.atl-paas.net/557058:6b9c9931-4693-49c1-8b3a-931f1af98134/7f0c6294-4750-4ff7-a6cb-be6b43744fc5/128, and avatar-management--avatars.us-west-2.prod.public.atl-paas.net is actually already part of the pre-defined CSP for Forge applications:
Content-Security-Policy: img-src 'self' data: blob: https://secure.gravatar.com https://avatar-management--avatars.us-west-2.prod.public.atl-paas.net https://api.atlassian.com;
Jira Cloud already returns full URLs in this format and I’ve added a ticket to Confluence Cloud asking that their API is updated to provide these fully-qualified URLs in addition to the existing relative URL.
The way that this can be worked around currently is by adding "*.atlassian.net" to the external images egress in in my Forge manifest, however that presents a confusing message to users requesting access to the Atlassian domain which currently in the authorisation dialog says is “outside Atlassian”. However, I’d prefer to not have the prompt the user for this access request when this functionality is currently accessible to Forge apps using Jira. I was wondering whether anyone knows of any way to get a avatar-management--avatars.us-west-2.prod.public.atl-paas.net domain for a Confluence profile picture? Or whether anyone on the Forge team are able to work around this by potentially adding "*.atlassian.net" to the default image CSP? Thanks.