Security & CSP
HTML Macro for Confluence uses Content Security Policy (CSP) to control what external resources can load inside the macro iframe. Admins configure the security mode from Confluence Settings → HTML Macro → Security.Security Modes
Block All (default)
No external resources load. Only inline HTML, CSS, and JavaScript run. This is the most secure mode and the default for new installations. Best for: Internal widgets, styled text, and custom layouts that don’t need external libraries.Whitelist
Only domains explicitly added to the whitelist can serve resources. All other external URLs are blocked by the browser’s CSP enforcement. Best for: Controlled use of specific CDN libraries or external APIs. To add a domain:- Go to Confluence Settings → HTML Macro → Security
- Set mode to Whitelist
- Click Add domain
- Enter the domain (e.g.
cdn.jsdelivr.net) - Save
