'Page not permitted' error when HTML Include macro is used
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
When the html-include macro is being used to fetch the HTML of an external page, the Confluence page shows a "Page not permitted" error instead of the intended HTML. The URL has already been added to the Confluence allowlist, but the issue persists.
Cause
Confluence is receiving either an HTTP 401 or 403 response code back from the requested URL. From the source code of the html-include macro, these are the two conditions where Confluence will display this error on-screen:
public boolean isNotPermitted()
{
return method.getStatusCode() == 403 || method.getStatusCode() == 401;
}In the cases where this have been observed, this is typically due to a proxy, firewall, or other network device between the Confluence server and the server hosting the requested URL, outside the control of the Confluence application.
It is common to think that this may be a problem with the allowlist configurations, but this is not the case. Confluence will check to ensure that the URL in the html-include macro meets the criteria of the allowlist before sending the request to fetch the external URL. If the URL does not meet the allowlist criteria, you will see a different message: "Could not access the content at the URL because it is not from an allowed source." The fact that you're getting the "Page not permitted" instead means that the request has been made, and a 401 or 403 response is being returned.
Resolution
Because the issue is outside the scope of the Confluence application, we recommend to involve a network services administrator in your organization to figure out what network devices/rules may be sitting between Confluence and the requested URL. An HTTP 401 or 403 response code means "Unauthorized" or "Forbidden", but these are not coming from Confluence, rather than an unknown network device.