Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Is there a way to change the Font Size or Font Type on the Iframe for Confluence Macro?

The styling would need to happen on the original page. This type of change is prohibited by browsers as it would violate CORS. The style you can configure on the macro impacts the iframe itself and is used for things like sizing.

As an alternative, you could adjust the width and height attributes of the iframe, but what happens within that is up to the CSS of the remote site in terms of styling.

We are searching for apps that are more secure than the embedded iframe solution of confluence, since it can make Confluence vulnerable to cross-site scripting attacks. Is this app a good alternative considering the security aspects? Could we have security concerns with this app?

They’re as secure as the configuration which you set on the iframes and the browser that enforces them.

We can’t make any broad statements here, but you’re welcome to trial the app and attempt to attack Confluence on a test page.

Does your add on support limiting who can insert/edit HTML into a Confluence page? We are looking for a way to limit that. The people who cannot insert/edit will still need to be able to view the HTML code inserted on the page.

We do not have controls on who can create a macro. Unfortunately there’s no method which would enforce this.

Can you elaborate on the statement of how the Secure HTML Macro makes running HTML code safe?

What this means is that the macro wraps the code in an iframe with a domain we control to trigger CORS protections, and the sandbox attribute.

Then when browsers interpret this, they apply a number of client side protections to ensure that security risks like XSS are mitigated.

What sort of information Iframes for Confluence captures from our instance when running a server/data center instance of Confluence. If it does capture any information, are there any options to disable this?

We don’t send any data back to our systems from Iframes for Confluence.

It looks like that the “Whitelisting Feature” on Iframes for Confluence does not work for the Java Script part of the Macro. Could you kindly advise how we can limit from the App/Macro that only certain URLs can be used in java Script?

The whitelisting feature only controls which URL can be iframed into Confluence. We can’t restrict where JS will reach out to since this is based entirely on the behavior that the end user’s browser which we don’t control.

For more information: How Whitelisting and Blacklisting work

  • No labels