-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
High
-
Component/s: Forge - App UI Web
-
Major
-
Integration testing
Issue Summary:
- In a minimal Forge app reproducer, emoji resource access does not work as expected by default, even when using the following recommended path. Instructions in doc issues-when-fetching-list-of-emojis are not helpful.
api.atlassian.com/gateway/api/emoji/{cloudId}/{emojiId}/path
- The issue appears to be in Forge app runtime behavior (CSP / external permissions / redirect / CORS behavior).
Steps to Reproduce
- Minimal Forge app: emoji-repro.zip
Observation
The reproducer tests three cases:
1. Case A: direct CDN image
<img src="https://pf-emoji-service--cdn.us-east-1.prod.public.atl-paas.net/assets/standard/32/1f642.png">
2. Case B: API path image
<img src="https://api.atlassian.com/gateway/api/emoji/{cloudId}/1f642/path">
3. Case C: fetch() API path
fetch("https://api.atlassian.com/gateway/api/emoji/{cloudId}/1f642/path", { method: "GET", redirect: "follow" })
Observed behavior without explicit external permissions
• Case A fails
• Case B fails
• Case C fails
Browser console shows CSP violations against the final emoji host https://pf-emoji-service.prod-east.frontend.public.atl-paas.net/...
This indicates that the actual runtime host differs from the host that appears in documented guidance / default allowlist expectations.
Observed behavior with explicit Forge external permissions added
When explicit external permissions are added for:
• https://api.atlassian.com
• https://pf-emoji-service.prod-east.frontend.public.atl-paas.net
• https://pf-emoji-service--cdn.us-east-1.prod.public.atl-paas.net
results change to:
• Case A: direct CDN image still fails
• Case B: API path image loads successfully
• Case C: fetch() API path still fails
Expected Results
One of the following should be true for Forge apps:
1. the documented emoji API path should work by default in Forge app context without requiring explicit external permissions to Atlassian-owned emoji hosts, or
2. the platform/documentation should clearly state the exact required hosts and constraints, including the impact on Runs on Atlassian eligibility
Actual Results
• Default app behavior fails for emoji image loading.
• Explicit external permissions are needed for the API-path image to work.
• fetch() still fails due to CORS on the redirected final host.
• This creates a gap between documented guidance and actual Forge app runtime behavior.
Workaround
A partial workaround is to add explicit Forge external permissions for the emoji-related hosts and use following as an <img> source. However, this workaround may make the app ineligible for Runs on Atlassian, so it is not an acceptable final solution for apps that need to remain Runs on Atlassian compatible.
https://api.atlassian.com/gateway/api/emoji/{cloudId}/{emojiId}/path
- relates to
-
-
- Needs Triage
-