Hi, can I ask what critical security hazard we are trying to prevent with an exact match white list of links. To me a browser opening a hyperlink (in a new tab) is Not data egress.
It is unclear why UX navigation to hyperlinks is being restricted at all?
As users can put any hyperlink they want into a Jira field or confluence document and navigate without restriction what is the point of preventing an app from doing the same thing?
But… if Atlassian is committed to blocking hyperlinks, then a few questions about how this proposal with static/exact match links would work?
As a vendor we have apps with context sensitive help navigation links. Let’s assume we have 30 well defined links to help desk/support articles or anchors for one app (all in the format https://support.myapp.com/articles/[ARTICLEID]/#anchor.)
What is the point of locking these 30 links into the manifest? Is the plan to show all 30 links to the Jira administrator who is installing the app and ask them to vet every single link? How could they possibly have the information to do that?
And assuming they do say yes, those 30 random links I know nothing about look okay, what happens when we need to add another help article link (#31) to the app?
Does adding that create another MAJOR version that requires every administrator in every customer site to personally assess the new link and install the new version before users can access that link.
Appreciate some background as to why all this link policing is even necessary.
If it is absolutely necessary, then at least put in wildcards so the admins can say yes, navigating to https://support.mysite.com/* is something I am willing to allow my users to go to from an app link. If I was building an app with dynamic links (e.g. links to youtube videos), I would want customers to be able to white list youtube.com/*.
Thank you for hearing our feedback
Chris