RFC-28: Custom Domains Support For Jira

marc · November 8, 2023, 10:22pm

Hi @nsher ,
Is Atlassian going to support this dynamic CSP in atlassian-connect?
I’m asking because in practice, you can’t add to many directives to your CSP headers: Content security policy maximum size exceeded - Really Simple SSL

nsher · November 9, 2023, 12:17am

Apologies for any confusion around this. I spoke to our security team to get clarification on this solution and the one they outlined is:

request comes in
The app knows the displayUrl for the relevant installation
injects CSP header for that installation into responses
- eg. frame-ancestors ${displayUrl}

AndreasEbert · November 9, 2023, 8:56am

Ah, so it’s not a list of all known custom domains, but a mechanism that dynamically adds the currently relevant custom domain only. That makes sense.

scott.dudley · November 9, 2023, 1:55pm

Hi @nsher

You wrote:

The app knows the displayUrl for the relevant installation

injects CSP header for that installation into responses

eg. frame-ancestors ${displayUrl}

This makes the assumption that the app knows the displayUrl, but it seems that this is not always the case. Has this been resolved to ensure that apps always receive the lifecycle hooks (and in a timely manner)?

As a header, the CSP needs to be committed before any HTTP response body content can start to be streamed, so even in the case where app does know the displayUrl, this adds another database fetch to the critical path before serving any request. (And we definitely do not want to have to fetch anything from the host at this point to resolve an unknown displayUrl!)

If Atlassian cannot guarantee that the lifecycle webhooks will be delivered consistently and quickly, is there perhaps some way to deliver this information with every request (like securely encoded in query parameters, or in HTTP headers)? Otherwise, pages will not function correctly until the lifecycle hook is received.

danielwester · November 9, 2023, 2:41pm

Not sure if we’d be able to support dynamically generating the CSP without adding a major architechture lift (It would be great for this to be added to ACE ).

Is it possible to have the data assets remain on the *.atlassian.net domain and have the front end dns be custom domain?

ShreyasAgarkar · November 9, 2023, 4:26pm

We’ll soon be adding displayUrl & displayUrlServicedeskHelpCenter to the Server Info API.

The change is live and the change log is published on DAC - https://developer.atlassian.com/changelog/#CHANGE-1240

marc · November 10, 2023, 10:08am

Hi @nsher ,
When a user adds a custom domain, there need to be changes in DNS. DNS change propagation can take up to 48 hours.
How are we supposed to handle DNS errors during the setup of the custom domains?
If we use a custom domain in a CSP policy, we might even not detect any DNS error, as the error will manifest in the users browser.

ibuchanan · November 13, 2023, 9:20pm

Thanks for the community comments. We ran really late with closing for discussion and a few comments came in after. We’re even past the resolution date now. I’ll be following up with @Ningqi and team to get a resolution to the questions & concerns raised here.

Ningqi · November 27, 2023, 8:49pm

Thank you everyone for your feedback! We greatly appreciate your inputs.

Firstly, we would like to express our gratitude to those who have registered and tried Custom Domains. We hope that you like your experience.

We would like to take this opportunity to assure you that we are actively working on addressing every feedback item that we have received in previous community posts and as part of this RFC. We have created ACEJS-183: Add Custom Domain Fields to AP.context.getContext() and ACE + ACSB InvestigationTRIAGE to address your concerns.

The feature will be made live to all Atlassian customers in Q2 2024. Read more about custom domains public roadmap here - Cloud Roadmap | Atlassian

Developers will have three months time starting Nov 27, 2023 till Feb 29, 2024 to make the changes to adopt custom domains in their apps. During this deprecation period, we request marketplace partners to make sure that they have made all the necessary changes as suggested in this RFC in order for their apps to work with a custom domain.

Future Feedback: Interested marketplace partners who would like to test their app’s interaction with a custom domain can register for testing by providing tenant details here - EAP Registration. If you come across any gaps in Custom Domains in the future, please report them to Bugs. We will actively work on resolving any blockers. Going forward, we will not be monitoring the developer community for Custom Domains feature gaps posts.

We appreciate all of you for working with us! Thank you so much for all your input and contributions that will make this a success!