The hostBaseUrl is derived from the iFrame xdm_e which is set to the domain which is rendering the site. In the circumstance of the Connect iFrame being loaded in a custom domain, this would then return the associated custom domain of the site. Similarly, if it is loaded on a *.atlassian.net site, it would provide the regular baseUrl.
Hello,
I was testing the custom domain feature compatibility with our app. Our iframes arenât loading and Iâm getting this error on the console, related to the all.js:
Failed to execute âpostMessageâ on âDOMWindowâ: The target origin provided (âhttps://old.subdomain.url.atlassian.netâ) does not match the recipient windowâs origin (âhttps://new.custom.domainâ).
(anonymous) @ all.js:94
R @ all.js:276
(anonymous) @ all.js:278
(anonymous) @ all.js:278
@PRPA that looks easy to diagnose. The post message communication between your app and Confluence is targeting the wrong domain, so the messages never get through. Atlassian will have to fix this. Maybe open an ECOHELP or other support ticket.
Hi,
How should we handle the âwhitelistâ option in the config.json file for the Atlassian Connect Express framework?
If we leave the option at its default setting, installations from custom domains are rejected as they are not allowed. The only alternative I can think of is to add a rule to the allowlist that permits installations from any domain. However, this ultimately renders the option and the inherent security mechanism useless.
Is there an official position from the Atlassian team that we should follow on this?
All installation, webhook, etc. requests should still come from the existing baseUrl (as in *.atlassian.net), not from the custom domain. This means that existing whitelist options should permit these requests as expected.
If youâre seeing something different to this, please let us know and weâll look into it.
Thanks everyone for your feedback regarding Connect, a few additional updates:
We are working on some updates to ACE and ACSB which will result in the displayUrl and displayUrlServicedeskHelpCenter being persisted for both Confluence and Jira custom domains.
We are working on extending AP.context.getContext() to also return the displayUrl and displayUrlServicedeskHelpCenter for Confluence and Jira front-end only apps.
We ran tests on an instance with a custom domain, and we couldnât install a connect app due to the block applied by the whitelist option. Only by applying permissive rules (e.g. unblocking installation from any domain) were we able to get the installation through.
I recommend conducting a thorough review of this aspect; otherwise, thereâs a risk that all customers with an active custom domain wonât be able to install many of the apps available on the marketplace.
It looks like some features werenât yet enabled for your EAP domains. Weâve now enabled fixes for Connect Confluence custom domains for all EAP domains and you should no longer experience these problems. If you run into any issues, please share your instanceâs domain via a DM and Iâll follow up to confirm everything is enabled as expected.
Hereâs what I see so far. Something doesnât seem quite right and it is not particularly usable:
There are no HTTP redirects from the old xxxxx.atlassian.net site to the custom domain.
If you attempt to access the site from the old atlassian.net domain anyway, loading something from a Connect app configured as âtargetâ: âdialogâ produces HTTP 403 errors.
No lifecycle hooks are sent to the app when the custom domain is enabled.
No lifecycle hooks are sent to the app when the custom domain is DISabled.
Every time I deactivate the domain in admin.atlassian.com, I receive a new email with subject line: âCustom domain is ready to activateâ.
Once you start using the new custom domain, you can navigate to the /jira URL and start using JSW on the custom domain too. Are JSW app vendors aware of this?
When using the site from the new custom domain, we see failed requests from our back end for Connect user impersonation. The Confluence host returns: HTTP 403 âSession auth token failed secret validationâ.
The Connect lifecycle install/uninstall/enable/disable payload supplies the custom domain URL for both the baseUrl and the displayUrl.
I canât install a new app after the custom domain is enabled, due to the whitelist issue. ACE is causing our app to return HTTP 401 to the install request: Installation verification error: 401 Host at https://mycustomdomain.com/wiki is not authorized to register as the host does not match the registration whitelist (*.jira-dev.com,*.atlassian.net,*.atlassian.com,*.jira.com).
As an aside, this RFC is marked as having the discussion closing today. I donât know if anyone else is in this situation, but I filed a ticket to participate in the EAP as soon as the program opened, but the custom domain on my test site did not get enrolled in the EAP until two days ago. (And I am still limited in the feedback I can provide because so many things seem to be broken, at least on my test site, as in my post above.)
Since other people may be in the same situation, perhaps you might think about extending the RFC period so that more people can actually experience the custom domains and provide feedback.
I registered on the EAP within minutes. Im still waiting for the custom domain to start working. I added the name records a few days ago, after receiving the âcustom domain is readyâ email.
