Rate this page:
The permissions
section of the manifest.yml
file controls your app's access to
remote resources.
The scopes
list declares which OAuth 2.0 scopes are required by your app
when using the authenticated Product Fetch APIs,
and Product events.
Define each scope on a new line. Your app should use the minimum set of scopes required.
1 2permissions: scopes: - 'read:confluence-content.summary' - 'write:jira-work'
If your app requires no OAuth 2.0 permissions, you must provide an empty scopes
list as in the example below.
1 2permissions: scopes: []
Note, Forge apps deployed in the development environment always receive all available OAuth 2.0 scopes.
Certain platform features, such as the App storage API, are also authenticated using OAuth 2.0.
Scope | Description |
---|---|
storage:app | Enables the App storage API. |
report:personal-data | Enables the User privacy API. |
Scopes enable a Forge app to request a level of access to an Atlassian product. You can find details of the required scopes in each product's REST API documentation and event documentation on a per-operation basis in the OAuth scopes required field. You can also check the following documentation details:
Note, not all operations support OAuth 2.0 authentication.
The Compass GraphQL API scopes.
Scope | Description |
---|---|
read:component:compass | Read Compass components. |
write:component:compass | Create, update, and delete Compass components. |
read:event:compass | Read Compass event data. |
write:event:compass | Create and delete Compass event data. |
read:metric:compass | Read Compass metric data. |
write:metric:compass | Create and delete Compass metric data. |
read:scorecard:compass | Read Compass scorecards. |
write:scorecard:compass | Create, update, and delete Compass scorecards. |
The content
section declares which Content Security Policy (CSP) options are required by your app
when using custom UI.
The scripts
list declares which sources are allowed for an app's script-src
policy.
In the example below, script-src 'unsafe-hashes'
is included in the CSP header for all modules
using custom UI:
1 2permissions: content: scripts: - 'unsafe-hashes'
Source | Description |
---|---|
unsafe-inline | Allows the use of inline resources, such as inline <script> elements,
javascript: URLs, and inline event handlers. |
unsafe-hashes | Allows the use of specific inline event handlers. |
unsafe-eval | Allows the use of eval() and similar methods for creating code from strings. |
blob: | Allows blob: URIs to be used as a content source. |
<sha-algorithm>-<base64-value> | Allows a specific script to be executed, provided it matches the hash declared here.
The only valid hash algorithms are: sha256 , sha384 , and sha512 . |
The styles
list declares which sources are allowed for an app's style-src
policy.
In the example below, style-src 'unsafe-inline'
is included in the CSP header for all modules
using custom UI:
1 2permissions: content: styles: - 'unsafe-inline'
Source | Description |
---|---|
unsafe-inline | Allows the use of inline resources, such as inline <script> elements,
javascript: URLs, and inline event handlers. |
The external
section declares the external resources that your custom UI app is allowed to access.
In addition, it also covers which external website your Forge function is allowed to communicate with. This covers both Custom UI resolvers and any other Forge functions.
In each section, you can add a list of external domains, which end up as a source in an equivalent CSP directive.
External domains follow CSP protocols and must be in one of the following formats:
https
or wss
URL, such as https://www.example-dev.com
. Note, adding a site URL means
that all resources to this site are allowed – you don't need to add *
at the end.www.example-dev.com
*
, for example *.example.com
. This includes all
nested subdomains below the specified domain name. Wildcards can be used with subdomains,
for example *.static.example.com
to limit to just the static subdomain.*
External domains must not contain any invalid special characters. You can check your domain with the following regex pattern:
1 2^(\*\.)?[.a-zA-Z0-9_\-\/:~#%]+$
The fetch
section has the following configurations, backend
and client
.
The fetch.backend
list declares which external domains your Forge functions can talk to. This
applies to both custom UI resolvers and any other Forge functions.
You don't need to specify individual URLs, such as example-dev.com/path
.
Adding one domain allows access to any URL on that domain.
In the example below, *.example-dev.com
is allowed for all of the calls that your Forge function
is making:
1 2permissions: external: fetch: backend: - '*.example-dev.com'
Note, calls made to any domain that is not defined in the manifest.yml
file of your app will be
rejected. Learn more about runtime egress permissions.
The fetch.client
list declares which external sources are allowed for an app's connect-src
policy.
In the example below, connect-src *.example-dev.com
is included in the CSP header for all
modules using custom UI:
1 2permissions: external: fetch: client: - '*.example-dev.com'
Note, using a wildcard such as *.example-dev.com
for CSP does not include the parent domain.
If you need to support both, explicitly add the parent domain as a second entry.
The fonts
list declares which external sources are allowed for an app's font-src
policy.
In the example below, font-src https://www.example-dev.com/fonts.css
is included in the CSP
header for all modules using custom UI:
1 2permissions: external: fonts: - 'https://www.example-dev.com/fonts.css'
The frames
list declares which external sources are allowed for an app's frame-src
policy.
In the example below, frame-src https://www.example-dev.com/embed/page
is included in the CSP
header for all modules using custom UI:
1 2permissions: external: frames: - 'https://www.example-dev.com/embed/page'
The images
list declares which external sources are allowed for an app's img-src
policy.
In the example below, img-src https://www.example-dev.com/image.png
is included in the CSP
header for all modules using custom UI:
1 2permissions: external: images: - 'https://www.example-dev.com/image.png'
The media
list declares which external sources are allowed for an app's media-src
policy.
In the example below, media-src https://www.example-dev.com/video.mp4
is included in the CSP
header for all modules using custom UI:
1 2permissions: external: media: - 'https://www.example-dev.com/video.mp4'
The scripts
list declares which external sources are allowed for an app's script-src
policy.
In the example below, script-src https://www.example-dev.com/script.js
is included in the CSP
header for all modules using custom UI:
1 2permissions: external: scripts: - 'https://www.example-dev.com/script.js'
The styles
list declares which external styles are allowed for an app's style-src
policy.
In the example below, style-src https://www.example-dev.com/stylesheet.css
is included in the CSP
header for all modules using custom UI:
1 2permissions: external: styles: - 'https://www.example-dev.com/stylesheet.css'
Rate this page: