The documented default emoji CDN host is blocked by Forge app CSP.

XMLWordPrintable

    • Type: Bug
    • Resolution: Answered
    • Priority: High
    • Component/s: Forge - App UI Web
    • None
    • Major

      Issue Summary:

      Forge app CSP blocks documented default emoji CDN host

      pf-emoji-service--cdn.us-east-1.prod.public.atl-paas.net

      As workaround partner would have to add external permissions, potentially forcing a major version and affecting Runs on Atlassian expectations.

      Steps to Reproduce

      Minimal Forge app: emoji-repro.zip

      1. Create/load a Forge Custom UI app.
      2. Render a plain <img> using https://pf-emoji-service--cdn.us-east-1.prod.public.atl-paas.net/...
      3. Observe browser console/network.

      Expected Results

      • The documented default allow-listed host should load without requiring manifest egress.

      Actual Results

      • Browser reports CSP violation for the CDN host.

      Workaround

      • To render emojis in your app, internal APIs are used to access the list of emojis available. We’ve allow-listed the following:
        • api.atlassian.com/gateway/api/emoji/ for fetch.client to list emojis
      • Or add external permissions, potentially forcing a major version and affecting Runs on Atlassian expectations.

        1. emoji-repro.zip
          254 kB
        2. Screenshot 2026-06-16 at 6.25.29 PM.png
          Screenshot 2026-06-16 at 6.25.29 PM.png
          372 kB

              Assignee:
              Peter Yu
              Reporter:
              Chandra Shekhar Pandey
              Votes:
              6 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: