Confluence 3.1 has reached end of life
Check out the [latest version] of the documentation
The RSS and HTML-include macros are used to include content dynamically from other websites onto a Confluence page. The included content may possibly be malicious or harmful to your Confluence instance.
Confluence administrators can set up a list of trusted URLs, thus limiting the locations from which the RSS macro and the HTML-include macro can draw their content.
The form below allows you to define specific URLs and/or URL patterns which are trusted, or to allow inclusion from all URLs without restriction.
To configure the URL whitelist,
Go to the Confluence 'Administration Console'. To do this:
- Open the 'Browse' menu and select 'Confluence Admin'. The 'Administration Console' view will open.
- Select 'Configure Whitelist' in the left-hand panel.
- The 'Configure Whitelist' screen will appear, as shown in the screenshot below.
- Select one of the radio buttons as follows:
- Allow all domains — There will be no restrictions to the content which can be included onto your Confluence pages.
- Restrict to listed domains — Confluence will allow content from trusted URLs only. When you select this option, a textbox will open allowing you to enter specific URLs and/or URL patterns. Enter one or more URLs, each on its own line. You can enter the full URL, or use the pattern matching rules described below.
- Click 'Save'.
Screenshot: Configuring a URL whitelist
URL Pattern-Matching Rules
Enter one URL or URL pattern per line. You can enter a full URL or use pattern-matching as described below:
- If the rule starts with an equals sign (=), only the exact URL following the '=' will be allowed.
- If the rule starts with a slash (/) then the whole rule will be treated as a regular expression.
- Otherwise, any asterisk (*) will be treated as a wildcard to match one or more characters.
What Happens to a Page Containing a Disallowed URL?
A user can add the RSS macro or the HTML-include macro to a Confluence page. The macro code includes a URL from which the content is drawn. When the page is displayed, Confluence will check the URL against the whitelist. If the URL is not allowed, Confluence will display an error message on the page.
The error message says that Confluence "could not access the content at the URL because it is not from an allowed source" and displays the offending URL. If the person viewing the page is a Confluence Administrator, they will also see a link to the Administration page where they can configure the URL whitelist.
Here is an example of the error message, including the link shown only to Confluence Administrators:
Here is an example of the error message, but without the link.
Notes
Some things to be aware of:
- By default, the RSS and HTML-include macros are disabled in Confluence. A System Administrator can enable them on the 'Plugins' screen of the Confluence Administration Console.
- A user who has the 'Confluence Administrator' permission, but not necessarily the 'System Administrator' permission, can configure the URL whitelist (for the HTML-include and RSS macros).
RELATED TOPICS
Enabling HTML macros
RSS Feed Macro
HTML Include Macro
Overview
Content Tools
Apps
Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.