The Iframe Macro Configuration menu allows Confluence Admins to control what Iframe URLs are permitted in their instance.

The Iframe Macro Configuration feature allows Iframes to be in one of three states: sandboxed, approved, or denied.

As users are able to add any type of URLs into the Iframe, this could pose a risk to the security of your instance.

Cross-site Scripting (XSS):

Note that while Adaptavist is committed to producing safe applications, security should be considered when using this macro. The Iframe macro could be used by a malicious user to inject a persistent cross-site scripting attack from a third party site into a page, comment, or blog post.

To minimise risk, all Iframe URLs will default to have the sandbox attribute from version 6.3.1 of Content Formatting for Confluence. We recommend that you monitor and take action on Iframe URLs that do not match your security policies using this feature.

Navigate to the Iframe Macro Configuration

To navigate to the Iframe Macro Configuration menu:

  1. Click the Confluence Administration icon then select Manage Apps.

  2. Select Iframe Macro under Content Formatting Macros in the left sidebar.

Using the Iframe Macro Configuration

The Iframe Macro Configuration allows admins to specify the default display settings that all Iframe macros will appear in if they are not part of the Approved URL List.

Admins have the option of either having an Iframe sandboxed or denied by default. Please see the Iframe States section below for more information on these two states.

Once the default settings have been set, admins have the ability to add individual Iframe URLs to the Approved URL List or to import all Iframe URLs to the list in bulk.

URLs are limited to a maximum length of 2,000 characters. If you want to include pages with longer URLs, please use pattern matching as described below in the URL Patterns section. It is possible to remove Iframe URLs from the Approved URL List at any point by selecting the individual URL or by selecting all URLs in the list that should be removed and clicking Remove URLs.

Iframe States

Beginning in release 6.3 of Content Formatting for Confluence, all Iframe macros, by default, are sandboxed to mitigate risk. Confluence admins then have the option to either permit URLs or change the default state for all Iframes URLs that are not in the approved list to block the Iframe from being rendered.


Iframes in this state have the sandbox attribute associated to them. This state limits website functionality, such as removing the ability to submit forms and execute scripts and disabling API calls, ensuring a safer browsing experience. Further information about the sandbox attribute can be found in this HTML <Iframe> sandbox Attribute page.


Iframes in this state will be fully permitted; this is only advised for trusted URLs. Only authenticated Confluence admins are able to place Iframes in this state.


Iframes in this state will not be rendered and a message stating This URL is disallowed will be displayed with more information.

URL Patterns

The Iframe Macro Configuration feature supports URL pattern matching, making the process of managing Iframe states more efficient. This impacts the feature in two ways:

  1. All Iframe URLs added to the approved list will be permitted in any Iframes across Confluence and are not bound to a specific Iframe on one page.

  2. When adding URLs to the approved list, you can use wildcard operators. This will allow you to approve all pages within a website or a set of specific pages within a website.

Accepted Wildcard Expressions:

Single ( * )

You can use a single * character to search for any content, up to the next path operator.

Example: You can add the * to a URL such as this one*/inbox if you wanted to say that the inboxes of all users were safe, regardless of the user.

Double ( * * )

You can use a double * * character to search for any content. This will include ANY content that appears after the asterisks.

Example: You can add the double * * when you want to match any part of the rest of a URL, like this ****.

Iframe URL Import Tool

When run, the Iframe URL Import Tool searches Confluence for all Iframes and adds all unique URLs to the approved list. This feature provides the visibility of all URLs used in Iframes across the Confluence instance, allowing admins to take action where required.

Once this tool is run, all URLs are in the approved state and not sandboxed or blocked. Admins should be in the position to take action on these URLs in accordance with their company’s security policy. For larger instances, this may take some time to complete. You can navigate off this page, and the task will run in the background.

The Iframe URL Import Tool will not import Iframe URLs from comments. If you wish to add these URLs to the approved list, you will need to manually add them.

The Iframe URL Import Tool accepts URLs with a maximum length of 2,000 characters. Any URLs that exceed this limit are skipped from the import process. Admins can verify the URLs imported using the Confluence application logs. If skipped URLs are required, they can be manually added by implementing a URL pattern as described in the URL Patterns section above.