Why is an app not eligible for ‘Runs on Atlassian’ if it displays external images in the UI?
Our plugin includes a feature that allows users to embed images via external links. These links are provided by the users, not by the app vendor. Given this, I’d like to clarify why such a setup would affect the app’s eligibility.
Same for our app. Atlassian is working on: RFC-94: Configurable Egress and Remotes
Hi @Alexandr
Thanks for reaching out.
Our approach for the Forge platform is to be secure by default. This means that all egress is either blocked or under the control of the customer admin.
We however, allow some internal Atlassian services & images to be included by default, such as our avatars URLs and some internal APIs that enforce tenant isolation. More information can be found here
However, we cannot just allow all images by default, as embedded images can be a source of security threat, with mechanisms such as Steganography and the use of Polyglot image files which can lead to XSS attacks.
As mentioned by @clouless we are looking at opening up the restrictions with the support of configurable egress which aims at putting the approval and configuration part of the egresses back to the site admin.
However, we have not committed to what those configurable egresses would mean for the Runs on Atlassian eligibility.
Hope this helps