Content-Security-Policy on Cloud

Recently a client was asking us to implement Content-Security-Policy and/or X-Frame-Options in our addon.

After some discussion we still don't have a clear idea on the matter. Does it make sense to implement CSP in Confluence Cloud apps?

Our guess is that our frames won't work out of context unless you have a valid signed jwt. So we should be safe there.

Does Atlassian have any suggestion or answer on this matter?

Regards,

Hugo

2 answers

0 votes

May also be worth posting the question here https://community.developer.atlassian.com/ :)

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

You should definitely configure the Content Security Policy (CSP) for your Apps in the Cloud.

CSP reduces the attack vector of all kinds of vulnerabilities, e.g.

Prevent inline scripts from running
Restricting the domains that images, scripts, styles can come from

Sometimes, just by answering these questions, you can find things that are out of place.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Suggest an answer

Was this helpful?

Thanks!

Confluence

DEPLOYMENT TYPE

CLOUD

PRODUCT PLAN

STANDARD

PERMISSIONS LEVEL

Product Admin

Forums

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

Content-Security-Policy on Cloud

2 answers

Suggest an answer

Was this helpful?

Thanks!

DEPLOYMENT TYPE

PRODUCT PLAN

PERMISSIONS LEVEL

TAGS

Atlassian Community Events