This page includes release notes and updates for Confluence Cloud app developers. Use this page to keep track of upcoming changes, deprecation notices, new features, and feature updates from Confluence Cloud.
For updates about changes to the Forge platform, see the Forge changelog in the Forge documentation.
You can also ask questions and learn from other Confluence Cloud developers on the Atlassian Developer Community.
We're deprecating injecting stylesheets for Connect apps via inline styles in favor of loading from the Connect CDN. This affects the Theming API and dynamic content macros that supported the legacy Confluence editor.
At the end of the deprecation period (18th November 2024), we’ll stop injecting any inline styles and only load from the CDN.
If your app doesn’t use the above Connect features, or doesn’t use a Content Security Policy (CSP) for style-src, no action is required. Otherwise, please read the details here or see https://developer.atlassian.com/platform/marketplace/security-requirements/#connect-apps on how to modify your CSP to support these changes.
To support these changes in your app, if you're using a Content Security Policy that sets the style-src policy, you must add the Connect CDN (https://connect-cdn.atl-paas.net) to your policy to allow these stylesheets to be injected. It's safe to remove unsafe-inline from your policy if you've been using it up until now.
The stylesheets mentioned here are included automatically via the Connect JS script, not manually by the app vendor. There are two circumstances under which Connect injects stylesheets into your app.
The first is only for apps which opted in to the Theming API. The theme stylesheets currently load via an inline stylesheet, which forces vendors to adopt the insecure unsafe-inline policy, and is the main motivation for this change.
The second location is only for dynamic content macros. We inject a stylesheet with CSS classes representing colors from the legacy Confluence editor. This happens without opt-in, to be backwards-compatible with macros created in the legacy editor. This injection is currently done via CSSOM, not inline styles, and therefore isn’t impacted by style-src CSP rules currently. However it’ll also start being served from the CDN.
During the deprecation period, styles will be loaded simultaneously via the current methods described above and from the CDN. After the deprecation period, styles will only be loaded from the CDN, and the inline/CSSOM methods will be removed.
We are deprecating the Bulk remove content states from content and the Get update on long running task for setting of content state v1 REST APIs in Confluence Cloud.
On Nov 13, 2024, the POST /wiki/rest/api/content-states/delete endpoint and the GET /wiki/rest/api/content-states/task/{taskId} will be removed.
We recommend you use the Removes the content state of a content and publishes a new version endpoint instead.
A new RFC is ready for review at https://community.developer.atlassian.com/t/rfc-50-let-users-easily-interact-with-and-configure-macros-in-the-editor/79871.
Following this deprecation announcement from November 6, 2023, we're removing the PUT /wiki/rest/api/content-states endpoint from the Confluence Cloud v1 REST API. It’ll no longer be available from the time of this announcement and we won’t be providing a replacement functionality.
The groups atlassian-addons and atlassian-addons-admin will no longer be returned by the Get Groups API since they are strictly for internal use.
We are extending the deprecation period for all endpoints noted in CHANGE-864 and CHANGE-1116 to Dec 2, 2024.
Atlassian Security Scanner is already checking your Marketplace apps for any critical- or high-severity vulnerabilities in third-party dependency trees and .jar files. The tool is helping us ensure that all apps on the Marketplace are safe for our customers to download and install on their instances.
While .jar files are scanned every day due to the nature of modern cyber threats, third-party dependencies are checked when you submit your app for approval for the first time and during the regular annual review.
If Security Scanner doesn’t detect any vulnerability in your app, it’s safe to be on the Marketplace.
In case a security issue has been found, a Jira ticket about it will be created in the Atlassian Marketplace Security (AMS) project, and you’ll receive an automated email notification about the ticket. As soon as you fix the issue, upload the new version of your app to the Marketplace. Your ticket will be closed automatically the next day after Security Scanner checks the app again and finds no vulnerabilities.
If you need help or have questions, don’t hesitate to chat with an entitled representative of the Data Center Review team in the ticket’s comments. Or you can always contact Atlassian Support directly.
We’d like to highlight that the security scanning on our side is a complementary process to catch the most obvious security issues in case there are no security processes established on the app partner’s side. Thus, our solution doesn’t aim to substitute security checks on your side with a tool you trust. We rather provide assistance with a security audit in case these checks aren’t done.
We’re introducing new endpoints to the Confluence Cloud REST API v2 for applying and modifying classification levels in spaces, pages and blog posts. How does data classification work?
Classification Levels
Space Default Classification Level
Page Classification Level
Blog Post Classification Level
We’ve added a set of new query parameters to the v2 Get space by id API endpoint that allows for optional fetching of metadata properties related to the given space. These include:
include-labels
include-operations
include-properties
include-permissions
By default, these metadata properties will not be included in the response unless specified.
EDIT, 15-May-2024: This RFC is now closed.
A new RFC is ready for review at https://community.developer.atlassian.com/t/rfc-47-evolving-the-developer-canary-program-associated-developer-assistant-apps/79453.
A new RFC is ready for review at https://community.developer.atlassian.com/t/rfc-45-upcoming-changes-to-jira-navigation/79375/70.
We have now fixed the incorrect scope check requests with a trailing forward slash.
Assume there is a scenario where a request is made to an endpoint https://api.atlassian.com/some/path/. Scope checking may find a valid scope for path /some/path/** and pass the scope check. Once the request reaches the backend service, if the service does not have a path with a trailing slash, it may remove it and invoke the parent endpoint https://api.atlassian.com/some/path which may not have the same scope requirements.
With this fix, scope checking will ignore the trailing slash when matching scopes to the path.
This means that a request to https://api.atlassian.com/some/path/ and https://api.atlassian.com/some/path will be treated the same with respect to scope checking.
The progressive rollout of data security policy events has been completed. Data security policy events are generated when installed apps' access to certain data within Confluence, Jira, Jira Service Management, or Jira Software has been blocked by an administrative policy with an App access rule. You can now subscribe to these events.
Being a new capability however, we are scaling up our processing of these data security policy events over the next few months. In the meantime we have set a upper limit of 50,000 objects. This means that if a customer activates or updates a data security policy that affects more than 50,000 objects, you will receive the first 50k objects in the events and the rest would be omitted.
We intend to raise these limits and will advise once we have reached our final threshold— and have determined our final hard limits.
Data security policies help customers keep their organization’s data secure by letting them govern how users, apps, and people outside of their organization can interact with content such as Confluence pages and Jira issues.
The new app access rule under data security policies allows customers to restrict app access to the content in Confluence spaces or Jira projects under a given policy. In this way, customers can benefit from apps while still limiting 3rd-party app access to certain content in select spaces.
If you are looking to update your apps with custom in-app messaging whenever your app is affected by an app access rule, we encourage you to use the Developer guide.
The Forge confluence:spaceSettings module now supports view.createHistory() for Custom UI via @forge/bridge. App developers can now utilize a path segment at the end of the global page URL to maintain page history within their application.
Some permission checks performed by the endpoint /wiki/rest/api/content/{id}/permission/check for operations other than read now return a different informational error message when a permission check fails, as follows:
Some checks that returned “User does not have permission to the space” now return “User does not have permission to the content”.
Some checks that returned “Anonymous user does not have permission to the space” now return “Anonymous user does not have permission to the space”.
Previously, this API did not return “User does not have permission to the space” consistently when the cause of a failed check was a lack of space permissions, so this change is not breaking. It simply reduces the frequency with which this message is returned as an error in the response body for operations other than read.
The endpoint /wiki/rest/api/content/{id}/permission/check provides error messages in the response if the user or group fails the permission check. These include the below four messages:
User does not have permission to the space
User does not have permission to the content
Anonymous user does not have permission to the space
Anonymous user does not have permission to the content
Calling this endpoint for operations other than read may not consistently return "User does not have permission to the space" or "Anonymous user does not have permission to the space" and may return "User does not have permission to the content"/"Anonymous user does not have permission to the content" even if the check failed due to a lack of space permissions.
Calling this endpoint with read for the operation parameter will generally still return “User does not have permission to the space” or ”Anonymous user does not have permission to the space” with about the same frequency as before.
Rate this page: