What happened to referer header?

I noticed that recently (2018-01-22?) Jira stopped sending the referrer header when calling cloud add-ons. For example, when my add-on page is at https://acme.atlassian.net/plugins/servlet/ac/my-page?foo=bar, the URL used to be included in the “referer” HTTP header when calling the connect add-on.

Is this an intentional change or a new bug? How can the server get the host URL, with query params etc?

2 Likes

We’re seeing the same behavior.

It looks like the connect iframe are including referrerpolicy=“no-referrer” which would do it. That said - I wouldn’t depend on the referer header for any data though since they can be faked (it doesn’t have a jwt query string on it) and they can be disabled depending on the browser.

You should be able to send the data that you want down through the context parameters (and thus can trust them) and/or fetch them through the AP bridge on the client side.

2 Likes

Yeah the solution to this change is to use AP.getLocation

1 Like

That allows you to get the referer in javascript but stuffs up doing anything on the server end. Anyone know of a server side fix for this?

AFAIK requests from Jira to our apps contain a JWT token that you can use to determine which customer is making the request.

As server side fix we use custom context parameters However they are available for page modules only. For webpanels you could use some hack with AP.getLocation

Konrad, did you manage to get this working? I’ve got the same issue as you. Given the url in your example, what values did you use in your atlassian-connect.json file? i’ve tried both ?foo={foo} and ?foo={ac.foo} and the key / value never seems to appear in my req.context server side.