You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
Version 1
Next »
Userscripts for Confluence supports the execution of Code in the browsers of users. It is important to understand the use cases to understand security implications.
Since Userscripts for Confluence allows the download of userscripts (JavaScript code) that is executed in the users' browsers, it is important to make sure that these scripts cannot be manipulated by attackers.
This article provides a short overview over security considerations.
Prerequisites
Readers need to be familiar with the security concepts of Confluence.Script Locations
Userscripts for Confluence allows to download JavaScript files either from a Confluence location or from a remote location.
The location of the JavaScript file is defined by the property named script.
Confluence Location
The JavaScript files are typically added as Attachments to pages. Userscripts for Confluence checks that the file has the proper filename extension ".js
" and that the file size is not larger than 1 mega byte.
To ensure that the JavaScript file is not manipulated by unprivileged users, the app only provides only files that are accessible by confluence administrators or userscripts administrators.
Therefore the page is required to allow only members of these groups to access files in write mode. If no restrictions are set on page level, the app requires that the space is only accessible by members of these two groups.
It is recommended to add JavaScript files only to dedicated spaces where only the mentioned groups have access to.
Not that the user services need to serve JavaScript files to users independent of their access privileges. Especially anonymous users may need to execute JavaScript code without access privileges to the attached JavaScript files.
Remote Locations
If a script URL points to a remote location, then this URL is required to be listed in the Confluence whitelist. The filename is required to show the extension ".js
" .
No further restrictions apply.
Script Administration
On uploading a userscript, the script URL is checked.
If validation fails, the problem is reported in the dialog window. An invalid script cannot be uploaded successfully.
Script Access
The script access is conducted in two steps.
- Userscripts Context Service: Calculates all applicable scripts and returns their links to the user's browser for execution
- Userscripts Service: Serve an individual script, which is cached for performance reasons
The access privileges are not checked by the context service. Only the script service checks that the access privileges are properly set.
On accessing the script other validation checks than privilege checks are not executed. These checks are only conducted when the script is stored to the database (either created or updated).
Resources
More information on this topic is available by the following resources.