Summary:
Request to update the configuration of AntiSamy used by the streams-aggregator-plugin to enable the noopenerAndNoreferrerAnchors directive by default, preventing reverse tabnabbing attacks. This update should be reflected in future Bamboo release versions.

Background:
A warning message is currently being logged indicating that the noopenerAndNoreferrerAnchors directive is not enabled by default in the AntiSamy policy used by the streams-aggregator-plugin. This directive is recommended to prevent reverse tabnabbing attacks.

     [java] 2023-12-01 08:58:50,627 INFO  - Attempting to load AntiSamy policy from an input stream.
     [java] 2023-12-01 08:58:50,755 WARN  - The directive "noopenerAndNoreferrerAnchors" is enabled by default, but disabled in this policy. It is recommended to leave it enabled to prevent reverse tabnabbing attacks

Current Status:

• A fix has been implemented and backported to versions 10.0.x and 9.2.x of the plugin.
• The updated plugins have been tested and confirmed to resolve the warning when all related streams plugins are updated to version 10.0.20.
• There is a need to ensure these updates are included in future Bamboo release versions, specifically starting from version 10.2.2.

Request:

1. Update the AntiSamy configuration in the streams-aggregator-plugin to enable noopenerAndNoreferrerAnchors by default.
2. Ensure that all streams-related plugins are updated to the same version (10.0.20 or later) to maintain consistency and prevent issues.
3. Confirm that these updates will be included in future Bamboo release versions, starting from 10.2.2.

Slack Thread: https://atlassian.slack.com/archives/CFHN1KJHE/p1738139281505519