Last updated Oct 28, 2024

Change notice: Sandboxing of Connect App iframes

Summary

To improve security, we are adding sandboxing to Connect App iframes in Bitbucket. These changes have been implemented by Jira and Confluence. The sandbox adds extra security by preventing the content of the iframe from performing certain actions. You have until February 20, 2021 to update your Connect Apps and fix any breaking changes.

Will my app be affected?

We will use the following allowlist:

  • allow-downloads
  • allow-forms
  • allow-modals
  • allow-popups
  • allow-same-origin
  • allow-scripts
  • allow-top-navigation-by-user-activation (Firefox: allow-top-navigation)

In general, most apps should not be affected; however, if your app does anything outside of the allowlist, you will notice some breaking changes.

Examples of prohibited actions are:

  • Accessing window.parent or window.top directly from inside your iframe’s JavaScript (for example setting window.top.location.href without a user gesture)
  • Modifying document.domain of your iframe or any nested iframe
  • Using links to set the top level parent location asynchronously, without a user action
  • Obtaining a pointer lock
  • Using window.history in a custom back button (eg. invoking window.history.go(-1))
  • Relying on the browser PDF plugin to render PDFs

How can I test my changes?

There is a lab feature available now in your Personal settings labeled connect-iframe-sandbox. When you enable the feature, all Connect Apps will be sandboxed and will only be allowed to access functionality in the allowlist. You can test your Connect Apps for breaking changes by turning this lab feature on and update them as needed. After February 2021, the feature will be released completely and you will no longer be able to change the state in the labs section.

Rate this page: