The Javascript is limited as to what it can do because we “sandbox” the unsanitized macro in an extra iframe. However, AJAX requests to services that you do not control may contain CORS response headers that prevent you from using them within the sandbox iFrame.Īn administrator can use the "Configure" button for the HTML Macro in the "Manage apps" page to allow or prevent users from creating and viewing unsanitized HTML macros: The sandbox iFrame does not add any CORS-related headers.
CONFLUENCE IFRAME CODE
When sanitized is unchecked then JavaScript can be executed by your macro and you can make AJAX requests from your code in the body of the HTML macro. Despite the insulation of the extra iframe, this enables certain classes of stored XSS attacks (for example, phishing for credentials in a fake login panel), so you need to trust your site users to use the macro responsibly. Sandboxing helps to mitigate the most dangerous aspects of JavaScript running in your macro but you need to be aware that unchecking "Sanitize" adds risk. Using the sandbox double iFrame and a different domain adds security by preventing this from occurring. Any Cloud app that does not operate in this sandboxed manner would not be inherently safe as JavaScript could make REST calls back to Confluence as the present user. This sandboxing insulates the content from the parent Confluence page, which prevents interaction with the parent page DOM and increases safety. However, in this case, a second or double iFrame is used from a different domain. Unchecking the Sanitize option allows JavaScript in the body of the HTML macro. When using the Sanitize option ( Sanitize box in macro is checked), only "safe" HTML is allowed (i.e. Security Considerations Sanitize HTML option Review the macro by viewing the Confluence page or use the "Preview" window in the macro editor.You can leave blank and adjust it later by editing the macro after you've previewed the page.Īdd your HTML to the box that's now inserted on your page Therefore, you cannot interact w/ the DOM of the parent and should be familiar with the same-origin policy if you are using advanced client-side code. the macro is rendered in one or two levels of IFrames.See Security Considerations section for more information.The Sanitize box should be unchecked if you're inserting JavaScript.Insert the HTML macro into your page and click Insert.The app installation is a standard one for Confluence MarketPlace apps.
Allows for previews to prevent tedious page reloading.Ability to seamlessly incorporate HTML elements, custom styling (CSS) and JavaScript without affecting the rest of the page.
0 kommentar(er)
