Policy

1. Data Security

All data submitted through the Custom HTML Embedder app (such as user-defined HTML content) is securely stored within the Atlassian ecosystem using Forge’s Storage API.

• No data is stored or transmitted outside Jira or the Atlassian infrastructure.

• The app does not collect or transmit any personally identifiable information (PII) unless explicitly entered by the user in their custom HTML content.

2. Content Restrictions

This app enables users to embed and render custom HTML content.
To protect users:

• Inline scripts (<script>) and JavaScript execution are blocked by the browser's security model and Atlassian’s Content Security Policy (CSP).

• The app does not support active scripting, event handlers (onclick, onload, etc.), or remote JavaScript sources.

• Users must embed only static, safe, and trusted HTML to avoid harmful behavior such as phishing or cross-site scripting (XSS).

3. Authentication & Permissions

• The app runs in the context of the currently authenticated Jira user.

• It respects Atlassian’s permission model and does not access or modify any data beyond what the user is explicitly authorized to access.

4. Access Control

• Only Jira users with the appropriate issue permissions (such as Browse Issues, Edit Issues) can view or configure custom HTML content through the app.

• The configuration interface is available only in edit mode, ensuring unauthorized users cannot modify the content.

5. Security Best Practices

To maintain a secure experience while using Custom HTML:

• Do not embed untrusted or third-party HTML content.

• Avoid using any raw script tags or event-based attributes like onclick.

• Periodically review the embedded HTML to ensure it is safe, static.

6. Vulnerability Reporting

We welcome responsible disclosure of any potential vulnerabilities.
Please report any concerns to:
📧 developer@code4me.in