UI Kit components
UI Kit hooks
Forge bridge APIs
Jira bridge APIs
Upgrade UI Kit versions
Previous versions

Custom UI iframe

All Custom UI apps are run within an iframe. This provides a secure and isolated hosting environment for custom-built user interfaces. This page describes the preset permissions of the iframe.

iframe permissions

The following permissions are applied to the iframe by default and cannot be modified by the developer of the Forge application.

Feature policies

A number of feature policies are specified for the Custom UI iframe. These policies define the features that are available to the iframe based on the origin of the request.

The following table lists the feature policies configured for the Custom UI iframe.

Sandbox restrictions

The new native Node.js runtime is now in preview, and will eventually replace Forge’s current runtime environment. We strongly encourage you to test your apps on this new runtime for compatibility and performance.

This new runtime introduces several changes to the way security and egress controls work. Sandboxing and snapshots (including related settings and restrictions) are no longer relevant in the new runtime as well. These changes may result in additional developer responsibilities to help uphold Forge's security.

The iframe also has a set of sandbox attributes that enable extra restrictions for the content in the iframe.

The following table lists the sandbox attributes applied to the Custom UI iframe.

Sandbox attributeDescription
allow-downloadsAllows downloads to be started via a user gesture.
allow-formsAllows the resource to submit forms.
allow-modalsAllows the resource to open modal windows.
allow-pointer-lockAllows the resource to use the Pointer Lock API.
allow-same-originAllows the iframe content to be treated as being from the same origin as its parent.
allow-scriptsAllows the resource to run scripts, but not create pop-up windows.

Rate this page: