Last updated Sep 11, 2025

Content Security Policy adoption

Availability

Confluence 10.0 or later

This documentation is aimed at developers. It provides instructions for updating your apps and customizations to work with the new Content Security Policy (CSP) mechanism introduced in Confluence 10.0. As CSP adoption changes how JavaScript and other resources are loaded, you might need to update your code to avoid CSP violations and ensure your apps remain secure and functional.

What is Content Security Policy?

Content Security Policy (CSP) instructs the web browser what content (such as scripts, iframes, or images) is allowed to run on the page. Restricting what content is permitted can help protect users against a range of client-side application security threats.

The main purpose of Content Security Policy (CSP) is to control which resources, especially JavaScript, a document can load. CSP helps protect against cross-site scripting attacks (XSS), where attackers inject malicious code into the victim’s site.

The script-src Content Security Policy (CSP) header is currently enabled in report-only mode. In this mode, the system logs any violations but doesn’t block resources. This approach lets you monitor and collect data about potential security issues without impacting the user experience.

You can use additional utilities to set up nonces and add your own origins to the CSP header.

Impact on security and reliability

Prevention of XSS attacks: CSP reduces the risk of cross-site scripting (XSS) attacks.
Protection against code injection: CSP helps prevent other types of code injection attacks, such as SQL injection and server-side request forgery (SSRF).
Mitigation of data exfiltration: By restricting the resources that can be loaded on a page, CSP helps prevent data exfiltration attacks where sensitive information is stolen from the application.
Reduced downtime: CSP helps prevent malicious code from disrupting the normal operation of Confluence, reducing the risk of downtime and outages.
Enhanced stability: CSP improves the application’s overall stability and reliability by limiting the execution of untrusted scripts.

Customer experience benefits

Enhanced security: CSP provides customers with a more secure environment, reducing the risk of data breaches and unauthorized access.
Improved trust: By demonstrating a commitment to security, CSP helps build trust with customers and partners.

Reduced risk of malware: CSP helps protect customers from malware infections that can compromise their systems and data.

Adapt an app to CSP

Make the following JavaScript changes for your app:

Remove JavaScript inline event handlers and javascript: URLs.
Remove the eval() method from your JavaScript.
Add additional config in your atlassian-plugin.xml in case your JavaScript is coming from external domains.

Test your apps to avoid CSP violations

Any CSP violation reports sent by the browser will be logged for further analysis. To identify and correct CSP violations in your app, enable the following system properties.

Sysprop	Description	Default value
`enable.csp.violation.logging`	Enables CSP violation reports to a log file.	false (disabled by default)
`csp.enable.nonce.js`	Enable CSP nonce for `<script>` tags.	false (disabled by default)
`csp.enable.nonce.css`	Enable CSP nonce for `<link rel="stylesheet">` tags.	false (disabled by default)
`csp.enable.nonce.prefetch`	Enable CSP nonce for `<link rel="prefetch">` tags	false (disabled by default)

Replace inline event handlers

Ideally, replace inline scripts with external JavaScript. For example, if you use inline event handlers like below, move the onclick function outside of the expression.

<button onclick="alert('Button clicked!')">Click Me</button>

In the case of inline scripts like the following one, make them external JavaScript.

1
2
<script>   
    console.log('This is inline JavaScript inside a script tag.'); 
</script>

Another option is to provide a nonce like in the following example:

1
2
<script nonce="<nonce>">   
    console.log('This is inline JavaScript inside a script tag.');
</script>

In this example, the nonce can be replaced by a utility Java method that we'll be providing you with.

Add custom origins to the CSP header using a module descriptor

Use this module descriptor to add app’s origins to the CSP header.

<csp name="<name>" key="<key>" class="MyCustomCspFragment"/>

You can implement CSPFragment by extending the CspFragment interface like below.

1
2
import com.atlassian.security.csp.api.CspDirective;
import com.atlassian.security.csp.api.CspFragment;

public class MyCustomCspFragment implements CspFragment {
    @Override
    public Set<CspDirective> getCSPDirectives() {
        return Set.of(CspDirective.SCRIPT_SRC);
    }

    @Override
    public Set<URI> getCSPOrigins(CspDirective cspDirective) {
        return Set.of(new URI("<mydomain>"));
    }

    @Override
    public Set<String> getUrlPatterns() {
        return Set.of("/**"); //Paths to apply 
    }
}

Also, any custom UI templates will have the cspNonce attribute set in the HTTP request. You need to add a nonce to the inline scripts for CSP to not report them.

1
2
<script nonce='httpRequest.getAttribute(“cspNonce”)'>
  //Some code
</script>

For example, if the nonce in the CSP header looks like this: script-src ‘nonce-testRandomNonce’, then, the script tag should use the nonce value without the nonce- prefix:

1
2
<script nonce="testRandomNonce">
  ...
</script>