Versions Compared

Old Version 3

changes.mady.by.user Victor Seger

Saved on

compared with

New Version 4

changes.mady.by.user Victor Seger

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleWe are searching for apps that are more secure than the embedded iframe solution of confluence, since it can make Confluence vulnerable to cross-site scripting attacks. Is this app a good alternative considering the security aspects? Could we have security concerns with this app?

They’re as secure as the configuration which you set on the iframes and the browser that enforces them. I

We can’t make any broad statements here, but you’re welcome to trial the app and attempt to attack Confluence on a test page.

Expand
titleDoes your add on support limiting who can insert/edit HTML into a Confluence page? We are looking for a way to limit that. The people who cannot insert/edit will still need to be able to view the HTML code inserted on the page.

We do not have controls on who can create a macro. Unfortunately there’s no method which would enforce this.

Expand
titleCan you elaborate on the statement of how the Secure HTML Macro makes running HTML code safe?

What this means is that the macro wraps the code in an iframe with a domain we control to trigger CORS protections, and the sandbox attribute.

Then when browsers interpret this, they apply a number of client side protections to ensure that security risks like XSS are mitigated.