Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.yamuno.com/llms.txt

Use this file to discover all available pages before exploring further.

Security & CSP

HTML Macro for Confluence uses Content Security Policy (CSP) to control what external resources can load inside the macro iframe. Admins configure the security mode from Confluence Settings → HTML Macro → Security.

Security Modes

Block All (default)

No external resources load. Only inline HTML, CSS, and JavaScript run. This is the most secure mode and the default for new installations. Best for: Internal widgets, styled text, and custom layouts that don’t need external libraries.

Whitelist

Only domains explicitly added to the whitelist can serve resources. All other external URLs are blocked by the browser’s CSP enforcement. Best for: Controlled use of specific CDN libraries or external APIs. To add a domain:
  1. Go to Confluence Settings → HTML Macro → Security
  2. Set mode to Whitelist
  3. Click Add domain
  4. Enter the domain (e.g. cdn.jsdelivr.net)
  5. Save
An empty whitelist behaves like Block all — no domains load until at least one is added.

Allow All

Any external URL can load resources. No CSP restrictions are applied. Best for: Trusted internal Confluence instances where all editors are vetted. Not recommended for public-facing or externally accessible Confluence instances.

Common Domains to Whitelist

LibraryDomain to whitelist
Chart.jscdn.jsdelivr.net
Google Fontsfonts.googleapis.com, fonts.gstatic.com
YouTube embedswww.youtube.com
Google Mapsmaps.googleapis.com
D3.jscdn.jsdelivr.net
Mermaid diagramscdn.jsdelivr.net

Viewer Security

Visitors (non-editors) only see the rendered output of the macro. The source HTML, CSS, and JavaScript are never exposed to viewers, regardless of security mode.