Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Spook.js: speculative execution resulting in cross-domain browser information leakage

Security Notice: Speculative execution in web browsers resulting in information leakage (Spook.js)


On , a group of university researchers sent Atlassian white paper describing attacks against Google Chrome’s strict site isolation implementation, a mechanism used by the browser to protect against speculative execution attacks. Though their focus was on Chrome, the researchers noted the strict site isolation implementation is affected in all Chromium-based browsers (e.g. Microsoft Edge, Brave), as well as Mozilla Firefox.

The report includes an attack that allows an attacker to obtain a list of URLs loaded in a user’s browser tabs by tricking them into loading a malicious web page.

Atlassian has implemented the researchers' suggested mitigation against this attack to protect users with web browsers that use strict site isolation. No other action is required.

Vulnerability Details

Google Chrome uses strict site isolation to put content from different domains in separate address spaces to protect against speculative execution attacks. Domains that share the same effective top-level domain + 1 (eTLD+1) share the same address space. For example, a browser with open in one tab and open in another tab would load the content for each in the same address space since they share the same eTLD+1 ( Conversely, a browser with open in one tab and open in another tab would load the content for each site in separate address spaces since they do not share an eTLD+1 ( versus

Bitbucket Cloud users can create static websites containing custom HTML and javascript. Each website is created as a subdomain of Prior to mitigating this issue, websites owned by different users shared the same eTLD+1, which means the browser could load malicious content from one site (e.g. <attacker> in the same address space as content from another site (e.g. <workspaceId>, allowing the malicious site to read content from any other sites.


This attack allows an attacker to obtain a list of sites a user has open in other tabs by creating a static website containing malicious javascript, and tricking the user into loading that website in their browser.

Bitbucket does not set session cookies on any domains, so no other customer data is at risk.

An attacker could also obtain the contents of the pages loaded in the user’s other tabs, though this does not result in an information leak because the contents of all Bitbucket Cloud static websites are publicly accessible:

The static website you create with this feature is just like any other website on the Internet — anyone with the URL can visit and view your static website. The underlying Bitbucket repository can be a public or a private repository. This means if your Bitbucket repository is private, users can still visit and view the static website. The same is true if the underlying repository is public.


Atlassian has added to the Public Suffix List (PSL). Browsers use this information to treat each subdomain of as a unique eTLD+1, which prevents information leak attacks described in the Vulnerability Details section. No further action is required for users that visit with browsers that use strict site isolation as described in the section above.




Log in or Sign up to comment
AUG Leaders

Atlassian Community Events