Page tree

 

Userscripts for Confluence supports the execution of script code in the browsers of users. It is important to understand the use cases to understand security implications.

Since Userscripts for Confluence allows the download of userscripts (JavaScript code) that is executed in the users' browsers, it is important to make sure that these scripts cannot be manipulated by attackers.

This article provides a short overview over security considerations.

Please use this information to consider security implications.

Prerequisites

Readers need to be familiar with the security concepts of Confluence.

Script Locations

Userscripts for Confluence allows to download JavaScript files either from a Confluence location or from a remote location.

The location of the JavaScript file is defined by the property named script.

Confluence Location

The JavaScript files are typically added as Attachments to pages. Userscripts for Confluence checks that the file has the proper filename extension ".js" and that the file size is not larger than 1 mega byte.

To ensure that the JavaScript file is not manipulated by unprivileged users, the app only provides only files that are accessible by confluence administrators or userscripts administrators.

Therefore the page is required to allow only members of these groups to access files in write mode. If no restrictions are set on page level, the app requires that the space is only accessible by members of these two groups.

 

It is recommended to add JavaScript files only to dedicated spaces where only the mentioned groups have access to.

As space admin go to the Permissions tab of Space Tools.

Screenshot shows the recommended permission configuration for a space providing userscripts.

In the recommended permission configuration for a userscripts repository space, we do not allow individual users. If you want to have individual users with access privileges, make sure that all individual users listed on this page are members of either confluence administrators or userscripts administrators

Disallow Anonymous Access.

If non administrators need to have read access, this is also a valid configuration.

Screenshot shows a permission configuration for a space to allow administrators write, users read access.

No user who is not a member of the administrators group is allowed to create, add or remove pages or add or remove attachments. Also no configuration of restrictions or space administration tasks are allowed. You may want to be more restrictive than the configuration shown above. From the Userscripts for Confluence point of view, users without administration privileges do not need access to the space.

Alternatively you may also configure the proper access restrictions at page level.

Note that the user services need to serve JavaScript files to users independent of their access privileges. Especially anonymous users may need to execute JavaScript code without access privileges to the attached JavaScript files.

Remote Locations

If a script URL points to a remote location, then this URL is required to be listed in the Confluence whitelist. The filename is required to show the extension ".js" .

No further restrictions apply.

Script Administration

On uploading a userscript, the script URL is checked.

If validation fails, the problem is reported in the dialog window. An invalid script cannot be uploaded successfully.

The services provided by Userscripts are only accessible with the following roles: 

.

Script Access

The script access is conducted in two steps.

  1. Userscripts Context Service: Calculates all applicable scripts and returns their links to the user's browser for execution
  2. Userscripts Service: Serve an individual script, which is cached for performance reasons

The access privileges are not checked by the context service. Only the script service checks that the access privileges are properly set.

On accessing the script other validation checks than privilege checks are not executed. These checks are only conducted when the script is stored to the database (either created or updated).

The original script URL is substituted with a local URL. Therefore the client will not access the backend system hosting the scripts.

Resources

More information on this topic is available by the following resources.

Understanding Permission in Confluence
Confluence has three levels of permission: Global Permissions, Space Permissions, and Page Restrictions. This article on Confluence Service Support discusses them.
Page Restrictions
Page restrictions allow to control who can view and/or edit individual pages in a space. This article on Confluence Service Support shows how to use page restrictions.
Configuring the Whitelist
Confluence administrators can choose to allow incoming and outgoing connections. This article on Confluence Service Support provides information on the Confluence Whitelist.
Navigating to Space Tools
An article on Confluence Service Support that shows how to find the Space Tools.
Space Permissions Overview

Every Confluence space has its own set of permissions which determine what people can do in the space. This article on Confluence Service Support shows the configuration options for space permissions.