To improve security, we are adding sandboxing to Connect App iframes in Bitbucket. These changes have been implemented by Jira and Confluence. The sandbox adds extra security by preventing the content of the iframe from performing certain actions. You have until February 20, 2021 to update your Connect Apps and fix any breaking changes.
We will use the following allowlist:
allow-downloads
allow-forms
allow-modals
allow-popups
allow-same-origin
allow-scripts
allow-top-navigation-by-user-activation
(Firefox: allow-top-navigation
)In general, most apps should not be affected; however, if your app does anything outside of the allowlist, you will notice some breaking changes.
Examples of prohibited actions are:
window.parent
or window.top
directly from inside your iframe’s JavaScript (for example setting window.top.location.href
without a user gesture)document.domain
of your iframe or any nested iframewindow.history
in a custom back button (eg. invoking window.history.go(-1)
)There is a lab feature available now in your Personal settings labeled connect-iframe-sandbox
.
When you enable the feature, all Connect Apps will be sandboxed and will only be allowed to access functionality in the allowlist.
You can test your Connect Apps for breaking changes by turning this lab feature on and update them as needed.
After February 2021, the feature will be released completely and you will no longer be able to change the state in the labs section.
Rate this page: