Hello,
Our application security team has flagged the JSD widget as an issue. The complaint is about sub-resource integrity for the embed.js script from Atlassian. The recommendation is to add integrity and cross-origin properties to the <script> tag.
For example, changing this:
<script data-jsd-embedded
data-key="12345"
data-base-url="https://jsd-widget.atlassian.com"
src="https://jsd-widget.atlassian.com/assets/embed.js"></script>
To this:
<script data-jsd-embedded
data-key="12345"
data-base-url="https://jsd-widget.atlassian.com"
src="https://jsd-widget.atlassian.com/assets/embed.js"
integrity="sha384-abcde12345/zyxwv+09876"
crossorigin="anonymous"></script>
However, this change results in the following errors: "Access to script at 'https://jsd-widget.atlassian.com/assets/embed.js' from origin 'http://myco.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource."
and "GET https://jsd-widget.atlassian.com/assets/embed.js net::ERR_FAILED 200"
Has anyone else encountered this issue and found a solution, outside of removing the widget?
Can Atlassian please include the 'Access-Control-Allow-Origin' header?
I am having same issue. any update on this ? We are working on security certification and this the only blocker
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.