Confluence 4.0 : Configuring a URL Whitelist
This page last changed on Aug 19, 2011 by pwatson.
This page contains instructions for how to use the URL whitelist features for Confluence gadgets. On this page: Using the Whitelist for External GadgetsBy default, Confluence will block Gadget's access to third-party data sources. When you are using gadget that draws content from a third-party data source, you will need to add the URL of that data source to the general gadgets whitelist. To do this, click Confluence Admin > Configuration > External Gadgets. The 'External Gadgets' configuration screen appears. Under 'Gadget whitelist', you can click Add URL to add a third party data source to the Confluence whitelist. Having done this, your gadget will be able to access the data source. Screenshot: Configuring a URL whitelist for external gadgets Using the Whitelist for the RSS and HTML-include macrosThe RSS and HTML-include macros are used to include content dynamically from other websites onto a Confluence page. The included content may possibly be malicious or harmful to your Confluence instance. Confluence administrators can set up a list of trusted URLs, thus limiting the locations from which the RSS macro and the HTML-include macro can draw their content. The form below allows you to define specific URLs and/or URL patterns which are trusted, or to allow inclusion from all URLs without restriction. To configure the URL whitelist:
Screenshot: Configuring a URL whitelist for RSS or HTML-Include macros
URL Pattern-Matching RulesEnter one URL or URL pattern per line. You can enter a full URL or use pattern-matching as described below:
NotesSome things to be aware of:
What Happens to a Page Containing a Disallowed URL?A user can add the RSS macro or the HTML-include macro to a Confluence page. The macro code includes a URL from which the content is drawn. When the page is displayed, Confluence will check the URL against the whitelist. If the URL is not allowed, Confluence will display an error message on the page. The error message says that Confluence "could not access the content at the URL because it is not from an allowed source" and displays the offending URL. If the person viewing the page is a Confluence Administrator, they will also see a link to the Administration page where they can configure the URL whitelist. Here is an example of the error message, including the link shown only to Confluence Administrators: Here is an example of the error message, but without the link. Related TopicsEnabling HTML macros |
![]() |
Document generated by Confluence on Sep 19, 2011 02:41 |