Summary of the Issue

With the deprecation of the Connect framework and the migration of vendors to Forge, stricter security measures have been introduced. Forge apps, by default, restrict access to external URLs, only allowing communication with the current site URL. This presents a challenge when a Confluence or Jira Cloud site changes its domain (e.g., from abc.atlassian.net to xyz.atlassian.net), but attachments or resources still reference the old domain. As a result, Forge-based apps are unable to render these attachments, leading to broken user experiences and data accessibility issues.

Suggestion for Implementation

Introduce a configurable "Allowed Domain List" or "Domain Exception List" in Forge app permissions. This list would enable admins or app vendors to specify additional trusted domains (such as previous site URLs) from which attachments and resources can be accessed. The implementation should:

• Allow explicit listing of old site domains in the Forge app manifest.

• Ensure that only domains previously owned by the organization or verified by Atlassian can be added, to maintain security.

• Optionally, provide an admin UI for managing allowed domains post-migration.

Workaround

Currently, the only officially supported workaround is to reupload the attachments in such cases.