Rate this page:
The permissions section of the manifest.yml file controls your app's access to
remote resources.
The scopes list declares which OAuth 2 scopes are required by your app
when using the authenticated Product Fetch APIs,
and Product events.
Define each scope on a new line. Your app should use the minimum set of scopes required.
1 2 3 4
permissions:
scopes:
- 'read:confluence-content.summary'
- 'write:jira-work'If your app requires no OAuth 2 permissions, you must provide an empty scopes list as in the example below.
1 2
permissions:
scopes: []Note, Forge apps deployed in the development environment always receive all available OAuth 2 scopes.
Certain platform features, such as the App storage API, are also authenticated using OAuth 2.
| Scope | Description |
|---|---|
storage:app | Enables the App storage API. |
report:personal-data | Enables the User privacy API. |
In addition to the reference tables below, you can find the required scopes in each product's REST API documentation and event documentation on a per-operation basis in the OAuth scopes required field. Note, not all operations support OAuth 2 authentication.
The Confluence Cloud REST API and Confluence event scopes.
| Scope | Description |
|---|---|
read:confluence-content.all | Read all content, including content body (expansions permitted). Note, APIs using this scope may also return data allowed by read:confluence-space.summary. However, this scope is not a substitute for read:confluence-space.summary. |
read:confluence-content.summary | Read a summary of the content, which is the content without expansions. Note, APIs using this scope may also return data allowed by read:confluence-space.summary. However, this scope is not a substitute for read:confluence-space.summary. |
write:confluence-content | Create pages, blogs, comments, and questions. |
read:confluence-space.summary | Read a summary of space information without expansions. |
write:confluence-space | Create, update, and delete space information. |
write:confluence-file | Upload attachments. |
read:confluence-props | Read content properties. |
write:confluence-props | Write content properties. |
search:confluence | Search Confluence. Note, APIs using this scope may also return data allowed by read:confluence-space.summary and read:confluence-content.summary. However, this scope is not a substitute for read:confluence-space.summary or read:confluence-content.summary. |
manage:confluence-configuration | Manage global settings. |
The Jira Cloud REST API and Jira event scopes.
| Scope | Description |
|---|---|
read:jira-user | View user information in Jira that you have access to, including usernames, email addresses, and avatars. |
read:jira-work | Read project and issue data, and search for issues and objects associated with issues, such as attachments and worklogs. |
write:jira-work | Create and edit issues in Jira, post comments, create worklogs, and delete issues. |
manage:jira-project | Create and edit project settings, and create new project-level objects, such as versions and components. |
manage:jira-configuration | Configure Jira settings that require Jira administrator permissions, such as create projects and custom fields, view workflows, and manage issue link types. |
The content section declares which Content Security Policy (CSP) options are required by your app
when using custom UI.
The scripts list declares which sources are allowed for an app's script-src policy.
In the example below, script-src 'unsafe-hashes' is included in the CSP header for all modules
using custom UI:
1 2 3 4
permissions:
content:
scripts:
- 'unsafe-hashes'| Source | Description |
|---|---|
unsafe-inline | Allows the use of inline resources, such as inline <script> elements,
javascript: URLs, and inline event handlers. |
unsafe-hashes | Allows the use of specific inline event handlers. |
unsafe-eval | Allows the use of eval() and similar methods for creating code from strings. |
<sha-algorithm>-<base64-value> | Allows a specific script to be executed, provided it matches the hash declared here.
The only valid hash algorithms are: sha256, sha384, and sha512. |
The styles list declares which sources are allowed for an app's style-src policy.
In the example below, style-src 'unsafe-inline' is included in the CSP header for all modules
using custom UI:
1 2 3 4
permissions:
content:
styles:
- 'unsafe-inline'| Source | Description |
|---|---|
unsafe-inline | Allows the use of inline resources, such as inline <script> elements,
javascript: URLs, and inline event handlers. |
The external section declares the external resources that your custom UI app is allowed to access.
In addition, it also covers which external website your Forge function is allowed to communicate with. This covers both Custom UI resolvers and any other Forge functions.
In each section, you can add a list of external domains, which end up as a source in an equivalent CSP directive.
External domains must be in one of the following formats:
https or wss URL, such as https://www.example-dev.comwww.example-dev.com*, such as *.example-dev.com*External domains must not contain any invalid special characters. You can check your domain with the following regex pattern:
1
^(\*\.)?[.a-zA-Z0-9_\-\/:~#%]+$The fetch section has the following configurations, backend and client.
The fetch.backend list declares which external domains your Forge functions can talk to. This
applies to both custom UI resolvers and any other Forge functions.
In the example below, *.example-dev.com is allowed for all of the calls that your Forge function
is making:
1 2 3 4 5
permissions:
external:
fetch:
backend:
- '*.example-dev.com'Note, calls made to any domain that is not defined in the manifest.yml file of your app will be
rejected. Learn more about runtime egress permissions.
The fetch.client list declares which external sources are allowed for an app's connect-src policy.
In the example below, connect-src *.example-dev.com is included in the CSP header for all
modules using custom UI:
1 2 3 4 5
permissions:
external:
fetch:
client:
- '*.example-dev.com'Note, using a wildcard such as *.example-dev.com for CSP does not include the parent domain.
If you need to support both, explicitly add the parent domain as a second entry.
The fonts list declares which external sources are allowed for an app's font-src policy.
In the example below, font-src https://www.example-dev.com/fonts.css is included in the CSP
header for all modules using custom UI:
1 2 3 4
permissions:
external:
fonts:
- 'https://www.example-dev.com/fonts.css'The frames list declares which external sources are allowed for an app's frame-src policy.
In the example below, frame-src https://www.example-dev.com/embed/page is included in the CSP
header for all modules using custom UI:
1 2 3 4
permissions:
external:
frames:
- 'https://www.example-dev.com/embed/page'The images list declares which external sources are allowed for an app's img-src policy.
In the example below, img-src https://www.example-dev.com/image.png is included in the CSP
header for all modules using custom UI:
1 2 3 4
permissions:
external:
images:
- 'https://www.example-dev.com/image.png'The media list declares which external sources are allowed for an app's media-src policy.
In the example below, media-src https://www.example-dev.com/video.mp4 is included in the CSP
header for all modules using custom UI:
1 2 3 4
permissions:
external:
media:
- 'https://www.example-dev.com/video.mp4'The scripts list declares which external sources are allowed for an app's script-src policy.
In the example below, script-src https://www.example-dev.com/script.js is included in the CSP
header for all modules using custom UI:
1 2 3 4
permissions:
external:
scripts:
- 'https://www.example-dev.com/script.js'The styles list declares which external styles are allowed for an app's style-src policy.
In the example below, style-src https://www.example-dev.com/stylesheet.css is included in the CSP
header for all modules using custom UI:
1 2 3 4
permissions:
external:
styles:
- 'https://www.example-dev.com/stylesheet.css'Rate this page: