The Iframe Macro Configuration menu allows Confluence Admins to control what iframe URLs are permitted in their instance.
The Iframe Macro Configuration feature allows iframes to be in one of three states: approved, sandboxed, or blocked.
As users are able to add any type of URLs into the iframe, this could pose a risk to the security of your instance.
Cross-site Scripting (XSS)
Note that while Adaptavist is committed to producing safe applications, security should be considered when using this macro. The iframe macro could be used by a malicious user to inject a persistent cross-site scripting attack from a third party site into a page, comment, or blog post.
To minimise risk, all iframe URLs will default to have the sandbox attribute from version 6.3.1 of Content Formatting for Confluence. We recommend that you monitor and take action on iframe URLs that do not match your security policies using this feature.
This feature can be found in the Confluence Manage Apps Menu and accessed by clicking the Iframe Macro Configuration menu item in the sidebar.
The Iframe Macro Configuration allows admins to specify the default display settings that all iframe macros will appear in if they are not part of the Approved URL List.
Admins have the option of either having an iframe sandboxed or denied by default. Please see the Iframe States section below for more information on these two states.
Once the default settings have been added, admins have the ability to add individual iframe URLs to the Approved URL List or bulk importing all iframe URLs to the list.
URLs are limited to a maximum length of 2,000 characters. If you want to include pages with longer URLs, please use pattern matching as described in the URL Patterns section below.
It is possible to remove iframe URLs from the Approved URL List at any point by selecting the individual URL or by selecting all URLs in the list and then clicking Remove URLs.
From version 6.3 of Content Formatting for Confluence all iframe macros, by default, are sandboxed to mitigate risk. Confluence admins then have the option to either permit URLs or change the default state for all iframes URLs that are not in the approved list to block the iframe from being rendered.
Iframes in this state have the sandbox attribute associated to them.
This state limits website functionality, such as removing the ability to submit forms, execute scripts, and disabling API calls, ensuring a safer browsing experience.
Further information about the sandbox attribute can be found here.
Iframes in this state will not be rendered and the following message will display:
|Approved||Iframes in this state will be fully permitted; this is only advised for trusted URLs. Only authenticated Confluence admins are able to place iframes in this state.|
The Iframe Macro Configuration feature supports URL pattern matching, making the process of managing iframe states more efficient. This impacts the feature in two ways:
You can use a single * character to search for any content, up to the next path operator.
Example: You can add the * to a URL such as this one https://mail.google.com/mail/*/inbox if you wanted to say that the inboxes of all users were safe, regardless of the user.
You can use a double ** character to search for any content. This will include ANY content that appears after the asterisks.
Example: You can add the double ** when you want to match any part of the rest of a URL, like this **facebook.com**
When run, the Iframe URL Import Tool searches Confluence for all iframes and adds all unique URLs to the approved list. This feature provides visibility of all URLs used in iframes across the Confluence instance allowing admins to take action where required.
Once this tool is run, all URLs are in the approved state and not sandbox or blocked. Admins should be in the position to take action on these URLs in accordance with their security policy.
For larger instances, this may take some time to complete. You can navigate off this page and the task will run in the background.
The Iframe URL Import Tool will not import iframe URLs from comments. If you wish to add these URLs to the approved list, you will need to manually add them.
The Iframe URL Import Tool accepts URLs with a maximum length of 2,000 characters. Any URLs that exceed this limit are skipped from the import process. Admins can verify the URLs imported using the Confluence application logs. If skipped URLs are required, they can be manually added by implementing a URL pattern as described under URL Patterns above.