Refused to load the script - Issue panel is not showing for our custom forge app (Content Security Policy Violation Error)

Hi Experts,

When we try to access the Jira issue then issue panel of our custom forge app dose not appear. When we checked the browser console logs so it showing the below error:

Refused to load the script 'https://gateway.zscloud.net/auD?origurl=https%3A%2F%2Fforge%2ecdn%2eprod%2eatlassian%2ddev%2enet%2fglobal%2dbridge%2ejs&wexps=1&_ordtok=QBZ3WVhBVRsW6NrTTgtQJFVjv2' because it violates the following Content Security Policy directive: "script-src 'self' https://forge.cdn.prod.atlassian-dev.net". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Refused to load the stylesheet '
https://gateway.zscloud.net/auD?origurl=https%3A%2F%2Fxxv3l0%2dl6xsgff8q%2dqkn2yr1hf%2d%2d1qas39%2d1viwjt6qns%2d63mpov483%2ecdn%2eprod%2eatlassian%2ddev%2enet%2f063caab5%2dad41%2d40eb%2db578%2d0fa74b236323%2f0956ce3e%2d6f6e%2d49c6%2d845d%2d26ac56c95970%2f79ca3bc4%2deb0c%2d402d%2dab77%2d927ebb9099b4%2fmain%2f%5fhostname%5fvisteon%2dsandbox%2eatlassian%2enet%2fstatic%2fcss%2fmain%2e144866dd%2ecss&wexps=1&_ordtok=Lr43WVZR24JBF5rqkQHQnFZDkF'
because it violates the following Content Security Policy directive: "style-src 'self'
https://forge.cdn.prod.atlassian-dev.net
'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

Please find the manifest.yml attached here. Could anyone help us to resolve this issue ?

modules:
  jira:issuePanel:
    - key: demo-issue-panel
      resource: main
      resolver:
        function: demoResolver
      viewportSize: medium
      title: demo
      icon: resource:images;assets/images/logo/demoIcon.svg

  jira:issueActivity:
    - key: demo-activity-panel
      resource: main
      resolver:
        function: historyResolver
      viewportSize: medium
      title: demo

  jira:projectPage:
    - key: demo-helloWorld-module
      resource: main
      resolver:
        function: helloWorldResolver
      viewportSize: medium
      title: helloWorld
      icon: resource:images;assets/images/logo/helloWorld-module.svg
      pages:
        - title: "helloWorld Planner"
          icon: resource:images;assets/images/logo/helloWorld-planner.svg
          route: /
        - title: "Team Availablity"
          icon: resource:images;assets/images/logo/team-availablity.svg
          route: /team-availablity
        - title: "Team Allocation"
          icon: resource:images;assets/images/logo/team-allocation.svg
          route: /team-allocation
        # - title: "Program Allocation"
        #   icon: resource:images;assets/images/logo/team-allocation.svg
        #   route: /program-allocation
  function:
    - key: demoResolver
      handler: moduleRoute.demoHandler
    - key: historyResolver
      handler: moduleRoute.historyHandler
    - key: helloWorldResolver
      handler: moduleRoute.helloWorldHandler
resources:
  - key: main
    path: static/demo/build
  - key: images
    path: static/demo/src
  - key: images
    path: static/demo/src
permissions:
  external:
    scripts:
      - https://gateway.zscloud.net
    fetch:
      backend:
        - https://xyz-sandbox.atlassian.net
        - https://abc.atlassian.net
      client:
        - https://xyz.sharepoint.com
        - https://abc.xyz.com  
    images:
      - "*.wp.com"
      - "*.gravatar.com"
      - "*.twimg.com"
  scopes:
    - read:jira-work
    - write:jira-work
    - read:jira-user
    - read:project-role:jira
    - read:project:jira
    - read:project-category:jira
    - read:servicedesk-request
  content:
    styles:
      - unsafe-inline 
app:
  id: ari:cloud:ecosystem::app/063caab5-adwer41-wer-b578-0fa74b236323

  runtime:
    name: nodejs18.x

This issue got resolved with the help of network & Zscaler team as it was blocked by authentication policy.

1 Like