Page tree
Skip to end of metadata
Go to start of metadata


Use the HTML add on to add snippets of HTML to your page. These can include HTML, JavaScript and CSS which will run just inside the macro itself, but cannot affect the larger page. All Cloud add-ons of this type must run in an iframe on the page. 

To include JavaScript you should unclick the "Sanatize" option and specify the height for your macro. JavaScript and CSS will only affect content within the macro itself.

Video Demo



Other than the standard add-on installation you must add the user "Html Macro" to "access-confluence" or the group "Administrators". 

The Cloud add-on permission model is evolving so currently either of these groups works


MORE HTML Macro for Confluence Cloud Examples - Such as a JIRA Issue Collector!

Here are just a couple of examples of content you can now place in your page. 

Include forms from Wufoo 

Here is a live form being served from Wufoo  (you must unselect "Sanatize")



CodePen is a playground for the front end web.


MORE HTML Macro for Confluence Cloud Examples

Security Considerations - Sanitized HTML option

When using the "sanitized" option only HTML considered safe is allowed.  This option will load slightly faster. An "iframe" is permitted. 

Unchecking the "sanitized" option does allow for JavaScript as well. However in this case a second or 'double iframe' is used from a different domain to completely insulate the content from the parent Confluence page. Thus it is safe. Any Cloud add-on not doing this would be unsafe as the JavaScript could make REST calls back to Confluence as the present user. Using the double iframe and a different domain prevents this.

Development Considerations

When developing JavaScript or other code to add to this add-on keep in mind that it is running in an iFrame inside and iFrame on the Confluence page. The innermost iFrame is served from our add-on domain and not from Atlassian. Keep this in mind. For instance if you create an HTML form and submit it you'll probably get a response from our domain along the lines of "Not authenticated". 




If permissions are restricted either at the space level OR the page level such that the relevant "add-on user" (which gets created when you install an add-on) does not have access to read / write then operations will fail.

The current model for Cloud add-ons is a bit brittle in this respect. Hopefully Atlassian will address this at some point.

Please see Cloud add-on permission requirements for more information


(question) When try to include an iFrame it does not work. The browser console will say "Refused to display '' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

The site is explicitly setting a content security policy that disallows being embedded in an iframe, and the browser is honoring that.  It is basic browser security and not something we can control.  

If you  control the remote domain, you can disable setting. Or you'd have to build a proxy for that domain that strips the header. This is probably going to be common.

Many sites don’t want to show up in iframes for IP or security reasons.

This X-FRAME-OPTIONS says that page can be embedded in an iframe if the parent page is from the same origin but there are other values that disallow it from any origin, etc

  • No labels