Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Spook.js: speculative execution resulting in cross-domain browser information leakage

Security Notice: Speculative execution in web browsers resulting in information leakage (Spook.js)


On , a group of university researchers sent Atlassian white paper describing attacks against Google Chrome’s strict site isolation implementation, a mechanism used by the browser to protect against speculative execution attacks. Though their focus was on Chrome, the researchers noted the strict site isolation implementation is affected in all Chromium-based browsers (e.g. Microsoft Edge, Brave), as well as Mozilla Firefox.

The report includes an attack that allows an attacker to obtain a list of URLs loaded in a user’s browser tabs by tricking them into loading a malicious web page.

Atlassian has implemented the researchers' suggested mitigation against this attack to protect users with web browsers that use strict site isolation. No other action is required.

Vulnerability Details

Google Chrome uses strict site isolation to put content from different domains in separate address spaces to protect against speculative execution attacks. Domains that share the same effective top-level domain + 1 (eTLD+1) share the same address space. For example, a browser with open in one tab and open in another tab would load the content for each in the same address space since they share the same eTLD+1 ( Conversely, a browser with open in one tab and open in another tab would load the content for each site in separate address spaces since they do not share an eTLD+1 ( versus

Bitbucket Cloud users can create static websites containing custom HTML and javascript. Each website is created as a subdomain of Prior to mitigating this issue, websites owned by different users shared the same eTLD+1, which means the browser could load malicious content from one site (e.g. <attacker> in the same address space as content from another site (e.g. <workspaceId>, allowing the malicious site to read content from any other sites.


This attack allows an attacker to obtain a list of sites a user has open in other tabs by creating a static website containing malicious javascript, and tricking the user into loading that website in their browser.

Bitbucket does not set session cookies on any domains, so no other customer data is at risk.

An attacker could also obtain the contents of the pages loaded in the user’s other tabs, though this does not result in an information leak because the contents of all Bitbucket Cloud static websites are publicly accessible:

The static website you create with this feature is just like any other website on the Internet — anyone with the URL can visit and view your static website. The underlying Bitbucket repository can be a public or a private repository. This means if your Bitbucket repository is private, users can still visit and view the static website. The same is true if the underlying repository is public.


Atlassian has added to the Public Suffix List (PSL). Browsers use this information to treat each subdomain of as a unique eTLD+1, which prevents information leak attacks described in the Vulnerability Details section. No further action is required for users that visit with browsers that use strict site isolation as described in the section above.




Log in or Sign up to comment

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you