This page tells you how to restrict some Confluence macros so that they can get information from authorised sources (URLs) only.

Whitelisting URLs for the RSS and HTML Include macros

The RSS and HTML Include macros are used to include content dynamically from other websites onto a Confluence page. The included content may possibly be malicious or harmful to your Confluence instance.

Confluence administrators can set up a list of trusted URLs, thus limiting the locations from which the RSS macro and the HTML Include macro can draw their content.

The form below allows you to define specific URLs and/or URL patterns which are trusted, or to allow inclusion from all URLs without restriction.

To configure the URL whitelist:

  1. Choose the cog icon  at top right of the screen, then choose Confluence Admin.
  2. Select Configure Whitelist in the left-hand panel. The 'Configure Whitelist' screen will appear, as shown in the screenshot below.
  3. Select one of the options as follows:
    • Allow all domains — There will be no restrictions to the content which can be included onto your Confluence pages.
    • Restrict to listed domains — Confluence will allow content from trusted URLs only. When you select this option, a textbox will open allowing you to enter specific URLs and/or URL patterns. Enter one or more URLs, each on its own line. You can enter the full URL, or use the pattern matching rules described below.
  4. 保存をクリックします。

On this page:

関連ページ

(warning) The information on this page does not apply to Confluence OnDemand.

Screenshot: Configuring a URL whitelist for RSS and HTML Include macros


URL Pattern-Matching Rules

1 行に URL または URL パターンを 1 つ入力します。以下で説明するように、完全な URL を入力するか、パターン マッチングを使用できます。
  • ルールが等号 (=) で始まる場合、「=」に続く正確な URL のみが許可されます。
  • ルールがスラッシュ (/) で始まる場合、ルール全体が正規表現として扱われます。
  • それ以外の場合、アスタリスク (*) は、1 つ以上の文字に一致するワイルドカードとして扱われます。

注意

Some things to be aware of:

  • By default, the RSS and HTML Include macros are disabled in Confluence. A System Administrator can enable them on the 'Plugins' screen of the Confluence Administration Console.
  • A user who has the 'Confluence Administrator' permission, but not necessarily the 'System Administrator' permission, can configure the URL whitelist for the HTML Include and RSS macros.

What Happens to a Page Containing a Disallowed URL?

A user can add the RSS Feed macro or the HTML-include macro to a Confluence page. The macro code includes a URL from which the content is drawn. When the page is displayed, Confluence will check the URL against the whitelist. If the URL is not allowed, Confluence will display an error message on the page.

Confluence が「URL のコンテンツへアクセスできません。許可されているソースのものではありません。」というエラーメッセージとともに、攻撃側の URL が表示されます。 このページを閲覧している人物が Confluence 管理者の場合、URL ホワイトリストを設定できる管理ページへのリンクも表示されます。

Here is an example of the error message, including the link shown only to Confluence Administrators:

Here is an example of the error message, but without the link.

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.