Q&A

Is there a way to change the Font Size or Font Type on the Iframe for Confluence Macro?

The styling would need to happen on the original page. This type of change is prohibited by browsers as it would violate CORS. The style you can configure on the macro impacts the iframe itself and is used for things like sizing.

As an alternative, you could adjust the width and height attributes of the iframe, but what happens within that is up to the CSS of the remote site in terms of styling.


We are searching for apps that are more secure than the embedded iframe solution of confluence, since it can make Confluence vulnerable to cross-site scripting attacks. Is this app a good alternative considering the security aspects? Could we have security concerns with this app?

They’re as secure as the configuration which you set on the iframes and the browser that enforces them.

We can’t make any broad statements here, but you’re welcome to trial the app and attempt to attack Confluence on a test page.


Does your add on support limiting who can insert/edit HTML into a Confluence page? We are looking for a way to limit that. The people who cannot insert/edit will still need to be able to view the HTML code inserted on the page.

We do not have controls on who can create a macro. Unfortunately there’s no method which would enforce this.


Can you elaborate on the statement of how the Secure HTML Macro makes running HTML code safe?

What this means is that the macro wraps the code in an iframe with a domain we control to trigger CORS protections, and the sandbox attribute.

Then when browsers interpret this, they apply a number of client side protections to ensure that security risks like XSS are mitigated.


What sort of information Iframes for Confluence captures from our instance when running a server/data center instance of Confluence. If it does capture any information, are there any options to disable this?

We don’t send any data back to our systems from Iframes for Confluence.


It looks like that the “Whitelisting Feature” on Iframes for Confluence does not work for the Java Script part of the Macro. Could you kindly advise how we can limit from the App/Macro that only certain URLs can be used in java Script?

The whitelisting feature only controls which URL can be iframed into Confluence. We can’t restrict where JS will reach out to since this is based entirely on the behavior that the end user’s browser which we don’t control.

For more information: How Whitelisting and Blacklisting work


Is it possible to embed a website, that needs a Kerberos Authentication in your iFrame?
If yes, how?

Kerberos authentication won’t impact this in any way. You can embed it as you normally would.


Is it possible to display a Microsoft Sway doc nicely from a Confluence page using Iframe for Confluence? I have whitelisted https://sway.office.com/* .

Your whitelist entry is correct, but you need to embed the embed code, not the base url (because MS blocks that). See their docs at:

Share your Sway - Microsoft Support

We are not sure what the “Get embed code” produces, but you can either rip the URL out of there and place it in the iframe macro, or take the whole thing and put it in the Secure HTML macro that we include.


Can I export iframes content when export pages?

We do not support exporting content from iframes as that would require us to render it server side. We also do not intend to add this functionality.


Is it possible to have the autoplay attribute removed for the video/mp4 format when using iframe on Confluence?

The autoplay is set by whatever internal server you use to serve the video. So it must be disabled on the source for the Iframe.


I have been trialling your add-in, I’m not sure why your add-on is any better. The prime thing we’re trying to do is stop cross-site scripting by only allowing specific videos or sites to embed videos on our Confluence pages. Please can you explain how your app beats what Confluence has built-in?

Assuming that this is about the whitelisting functionality in Iframes for Confluence.

The main difference is that we support any content, not only what is listed at Widget Connector Macro | Confluence Data Center 9.1 | Atlassian Documentation

We also support extra macro parameters, in particular Admin controlled Sandboxing allows you more fine grain control of what can be done in the app.


While trying to embed one of my Smartsheets project schedules within a Confluence page using the iframes macro it is not displaying the schedule as expected and shown in the screenshot below.

You're hitting an issue because Smartsheets is saying "Don't allow people to embed this page anywhere":

iframes+test:1 Refused to display 'https://app.smartsheet.com/sheets/xxxxxxxxxxxx' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

Please publish the content as outlined at Publish a sheet, report, or dashboard | Smartsheet Learning Center first, and try embedding it again.