Safari not generating proper referer with site tracking option

Hey…

We are relay on verifying active license on “lic” flag coming in referer.

In Safari if I enable web site tracking option “checked” not getting referer in all requests.

Referer generated Properly with option unchecked.

Do we have any alternative to get lic flag without referer (through Javascript API ) so I can pass it in my all subsequent request going fwd from my cloud app?

Thanks,
Umang

Hi @umang.savaliya,

Sorry if I’m a bit thick, but I just want to confirm I understand your scenario. The referer URL in your screenshot looks like an iframe URL. Do you render a link in your app iframe to a resource on your app server that expects the browser to pass on the referer header?

If the above is correct, is there a reason your app can’t generate the link with the URL query parameters your app needs?

I think web apps should be resilient to referer headers being absent since they are meant mainly for analytics and logging.

Regards,
Dugald

Thanks @dmorrow.!

You are correct in my previous post, inside screenshot was our iFrame URL.
Also, I read somewhere in documentation Jira is adding referer on each and every subsequent request coming from the vendor app and will get licence “lic” information from that.

for us to verify client license is active or not I found it’s a bit convenient to rely on this flag(“lic”). instead of calling Jira addOn API and verify client information in each and every request.

If you have any other alternative to get lic information from UI kindly suggest.

-Umang

1 Like

Hi @umang.savaliya,

Can you change your app so that it explicitly passes through the lic query parameter? So if your app iframe url is your-app.com/some-panel?lic=foo, then the links within the panel will be of the form your-app/some-other-resource?lic=foo.

Regards,
Dugald

Actually, if you see “lic” is generated by Jira, not by our app. and we are using this flag for our all subsequent request… but when I disable “site tracking option” in safari this referer is not generated so.

My ultimate approach is the same whatever you suggested I will append as query parameter in all my request. but from where I will get lic = active or none in my UI.

Referer: https://vandeorappURL/?xdm_e=https%3A%2F%2F<vendroapp>&xdm_c=channel-<appkey>&cp=&xdm_deprecated_addon_key_do_not_use=<appkey>&**lic=active**&cv=1001.0.0-SNAPSHOT&jwt=<jwt>
1 Like

As mentioned elsewhere on CDAC - don’t rely on the Referrer:

It will cause you pain. Not only is not really reliable from a browser perspective (some won’t send it depending on settings)- firewalls might strip it as well as well as depending on firewalls and web servers - they might be captured in log files.

Best thing is to do the lic enforcement at the initial iframe page that is loaded and then if you need to - pass the parameter onwards to any other urls that will need it.

xdm_e is also another parameter that you need to watch out for as to not to use…Deprecation of xdm_e Usage

2 Likes

Hi @umang.savaliya and @danielwester,

My previous comment about passing the license info in a query parameter is not the best practice since it could be spoofed. In general, to securely pass information to your app server, you can use the context token provided by AP.context.getToken(). From the cachable app iframes guide:

If an app needs to perform operations dependent on context information in its server, then the app must be declared as using JWT security and the context information must be passed to the server using the JWT token (the JWT contains the context information). Put another way, JWT tokens are the only secure way to pass context information from the product UI to the app server.

License information is in the context JWT, but only for apps requiring a license.

Regards,
Dugald

1 Like

As per jira documentation mention in below link standard parameters are common across all requests and are always included in the URL query string.

https://developer.atlassian.com/cloud/jira/platform/context-parameters/?_ga=2.24032441.245829787.1595400475-1116369192.1595143772

For my current issue let me get that information from the query parameter instead of referer and pass it to my server for subsequent request…

@dmorrow Jira must remove “lic” and moved under AP.context so it will be secured/encrypted. this is sensitive information about the client.

Thanks,
Umang

I’ve expanded the scope of AC-2529 to include license information.

Edit: License information is in the context JWT so there is no need to expand AC-2529.

1 Like