Altering the CSP for the version of JSM Atlassian host
I have a issue in JSM where some of the images and javascript library in use come from the CDN cloudfront but the that domain is not in CSP permissions file of the app so they get blocked and we get broken images and functionality.
This is covered in manual for people that self-host, but, we are hosted by Atlassian and don't seem to have access to the variable that would allow us to change that.
Has anyone come across this?
This is the CSP they are using for us where you can see it does not include the needed *.cloudfront.com
frame-ancestors 'self' *.atlassian.net *.jira.com *.atl-paas.net *.atlassian.com trello.com bitbucket.org *.jiraalign.com;
report-uri https://web-security-reports.services.atlassian.com/csp-report/jira-frontend-bifrost;
report-to csp-default-endpoint
(I have raised a ticket with Atlassian with all the details and screenshots but the person that picked it up doesn't understand nor is escalating it so I have "hit a brick wall")
1 answer
Hi Marc, thanks for coming back, by app(s) I meant the Atlassian suite as that is there preferred name now.
We don't have a "restrictive firewall" as such (but do use a cloud VPN), the issue however seems to be that the CSP list that defines what site the Atlassian apps can use does not always contain *.cloudfront.net (as defined as required by the document you kindly attached).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.