The boring enterprise solution is “just ship it to Textract\/Vision”. The problem: screenshots often contain stuff that should never<\/em> leave the browser (PII, API keys, internal URLs, config fragments). I wanted OCR that\u2019s privacy-first by default<\/strong>. This is also the only way how to keep “Runs on Atlassian” badge.<\/p>\n So: 100% client-side OCR<\/strong>. In a Forge Custom UI. Running Tesseract.js<\/strong> in the browser via WebAssembly<\/strong>.<\/p>\n I started in the happy place: This is the part where Forge can quietly mess with your intuition: tunnel is not Cloud<\/strong>.<\/p>\n Not in the “different API base URL” sense – in the security \/ CSP \/ asset serving<\/em> sense.<\/p>\n In tunnel, you can get to a working state quickly enough that you subconsciously stop thinking about what the platform will do to your code once it\u2019s served from the real Cloud environment. I already managed to complete front-end UI\/UX and was almost ready for production.<\/p>\n Then I deployed:<\/p>\n Clicked Scan Text<\/strong> in real Jira Cloud.<\/p>\n Spinner spins forever.<\/p>\n DevTools console turns into a murder board:<\/p>\n The tunnel didn\u2019t lie<\/em> on purpose. It just didn\u2019t reproduce the same conditions.<\/p>\n In cloud, Forge Custom UI is served from Atlassian\u2019s infrastructure with strict CSP rules. And the way your assets and worker scripts are served\/isolated matters.<\/p>\n Tesseract.js runs OCR inside a Web Worker. That\u2019s the correct architecture (OCR is heavy, keep it off the main thread).<\/p>\n The surprise: in Forge Custom UI, a worker loaded as a “normal” script can behave like it has its own, stricter sandbox rules.<\/p>\n If that worker can\u2019t do what the WASM runtime needs, you get the kind of failures that look like “WASM is broken”, when in reality it\u2019s CSP and worker context<\/strong>.<\/p>\n The fix wasn\u2019t “try another bundler” or “sprinkle more polyfills”. It was understanding that I needed the worker to execute under the same CSP as the main app<\/strong>.<\/p>\n The core idea:<\/p>\n And it boils down to this:<\/p>\n On the platform side, the app\u2019s This is the part that makes the whole feature go from “works in tunnel” to “works in Cloud”.<\/p>\n I also didn\u2019t want OCR to download anything from random URLs at runtime.<\/p>\n So the app ships the whole OCR stack as static assets:<\/p>\n That means OCR works in production with no “call home” behavior.<\/p>\n Yes, it\u2019s heavier. But it\u2019s predictable.<\/p>\n Client-side OCR is one of those features that will happily eat RAM for breakfast if you don\u2019t put it on a leash.<\/p>\n This implementation is pretty strict:<\/p>\n That\u2019s not “security theater” – it\u2019s the difference between “neat feature” and “my Jira tab froze again”.<\/p>\n Now the production flow is actually boring (which is what you want):<\/p>\n No screenshot leaves the user\u2019s browser.<\/strong><\/p>\n And yes – the service prints a loud console banner before any scary warnings:<\/p>\n Because if you\u2019re going to fight CSP for a living, you deserve a tiny victory flag.<\/p>\n If you\u2019re building anything spicy in Forge Custom UI (WASM, workers, heavy client runtimes), treat The only environment that matters is the one your customers run: production Jira Cloud<\/strong>, with real CSP and real asset hosting.<\/p>\n Want to try it?<\/span><\/strong><\/p>\n Check out Attachment Architect on the Atlassian Marketplace<\/a>. It now reads text, previews Excel files, and lets you peek inside ZIPs – all securely inside Jira.<\/p>","protected":false},"excerpt":{"rendered":" It\u2019s 2026. We have AI that can generate video from text, yet when a QA engineer attaches a screenshot of a log file to a Jira ticket, I still find myself manually re-typing error codes like it\u2019s 1995. So I built it into my Forge app Attachment Architect: a Scan Text button that turns pixels […]<\/p>\n<\/a>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[245],"tags":[266,289,288,33,287,249,283,286,290,285,284],"class_list":{"0":"post-1607","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-jira","7":"tag-atlassian-forge","8":"tag-csp","9":"tag-custom-ui","10":"tag-devops","11":"tag-engineering","12":"tag-jira-cloud","13":"tag-ocr","14":"tag-react","15":"tag-tesseract","16":"tag-tesseractjs","17":"tag-webassembly","18":"h-entry","19":"hentry"},"_links":{"self":[{"href":"https:\/\/www.drinkits.lv\/en\/wp-json\/wp\/v2\/posts\/1607","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.drinkits.lv\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.drinkits.lv\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.drinkits.lv\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.drinkits.lv\/en\/wp-json\/wp\/v2\/comments?post=1607"}],"version-history":[{"count":18,"href":"https:\/\/www.drinkits.lv\/en\/wp-json\/wp\/v2\/posts\/1607\/revisions"}],"predecessor-version":[{"id":1636,"href":"https:\/\/www.drinkits.lv\/en\/wp-json\/wp\/v2\/posts\/1607\/revisions\/1636"}],"wp:attachment":[{"href":"https:\/\/www.drinkits.lv\/en\/wp-json\/wp\/v2\/media?parent=1607"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.drinkits.lv\/en\/wp-json\/wp\/v2\/categories?post=1607"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.drinkits.lv\/en\/wp-json\/wp\/v2\/tags?post=1607"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Phase 1 –\u00a0 the tunnel trap: everything works (until it doesn\u2019t)<\/h4>\n
forge tunnel<\/code>.<\/p>\n\n
![\"\"](\"https:\/\/www.drinkits.lv\/wp-content\/uploads\/2026\/02\/Ekranuznemums-2026-01-28-131940.png\")
<\/a><\/p>\nPhase 2 – deploy to Jira Cloud, click the button, watch it burn<\/h4>\n
forge deploy -e development<\/code><\/pre>\n\n
Refused to create a worker from 'blob:...'<\/code><\/li>\nViolates Content Security Policy directive ...<\/code><\/li>\nWASM compilation failed<\/code><\/li>\n<\/ul>\n![\"\"](\"https:\/\/www.drinkits.lv\/wp-content\/uploads\/2026\/02\/Ekranuznemums-2026-02-01-171127.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/www.drinkits.lv\/wp-content\/uploads\/2026\/02\/Ekranuznemums-2026-02-02-080105.png\")
<\/a><\/p>\nWhat actually broke: Workers + CSP + WASM in Forge<\/h4>\n
The fix: Blob workers that inherit the main thread CSP<\/h4>\n
\n
const worker = await createWorker(validLanguage, 1, {\r\n workerPath: urls.workerPath,\r\n corePath: urls.corePath + 'tesseract-core.wasm.js',\r\n langPath: urls.langPath,\r\n\r\n \/\/ The whole trick:\r\n workerBlobURL: true,\r\n});<\/code><\/pre>\nmanifest.yml<\/code> CSP allows:<\/p>\n\n
scripts: 'unsafe-eval'<\/code> (needed for this WASM\/Tesseract setup)<\/li>\nscripts: 'blob:'<\/code> (needed for Blob Worker URLs)<\/li>\n<\/ul>\n![\"\"](\"https:\/\/www.drinkits.lv\/wp-content\/uploads\/2026\/02\/Ekranuznemums-2026-02-02-090758.png\")
<\/a><\/p>\n
\n![\"\"](\"https:\/\/www.drinkits.lv\/wp-content\/uploads\/2026\/02\/Ekranuznemums-2026-02-09-103248.png\")
<\/a>Bonus reality check: your OCR assets can\u2019t depend on the internet<\/h4>\n\n
public\/ocr\/worker.min.js<\/code><\/li>\npublic\/ocr\/core\/tesseract-core.wasm.js<\/code> (+ wasm variants)<\/li>\npublic\/ocr\/lang-data\/*.traineddata.gz<\/code><\/li>\n<\/ul>\nSafety: guardrails so OCR doesn\u2019t nuke the browser tab<\/h4>\n
\n
data:<\/code> image URIs, blob:<\/code> URLs, or same-origin URLs.<\/li>\nThe result<\/h4>\n
\n
![\"\"](\"https:\/\/www.drinkits.lv\/wp-content\/uploads\/2026\/02\/Ekranuznemums-2026-02-09-103853.png\")
<\/a><\/p>\nTakeaway<\/h4>\n
forge tunnel<\/code> as a convenience<\/em>, not a guarantee.<\/p>\n