HTML Macro for Confluence is an Atlassian Forge app that lets you embed custom HTML, CSS, and JavaScript directly inside Confluence pages. It provides a full code editor with live preview and enterprise-grade security controls.
No. HTML Macro for Confluence is a Confluence Cloud app only. It runs on Atlassian Forge and is not available for Server or Data Center deployments.
Yes. All macro content is stored inside Atlassian's Confluence infrastructure as part of the macro configuration. No content is sent to or stored on external servers. The app runs entirely on Atlassian Forge.
No. Confluence page visitors only see the rendered output. The HTML, CSS, and JavaScript source code is never exposed to viewers — only users with editor access (and admin permission) can open the editor.
Yes, basic HTML/CSS knowledge is required to get the most out of this app. It is designed for teams who need to embed custom layouts, interactive widgets, or branded content that Confluence's native editor cannot produce.
Yes, if your admin has whitelisted the CDN domain in the security settings. For example, to use Chart.js from jsDelivr:
cdn.jsdelivr.net<script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
<iframe> to embed YouTube or other content?Yes, if the domain is whitelisted. Ask your admin to add youtube.com (or *.youtube.com) to the domain whitelist. If the domain is not whitelisted, the iframe will be replaced with a blocked content placeholder.
Links in the preview are handled differently from the published page. In the preview, link behaviour may vary. On the published Confluence page, all links route correctly through Confluence's navigation system.
fetch() or make API calls?Yes. JavaScript's fetch() API is available. Note that the target domain must be allowed by the CSP security settings, otherwise the browser will block the request.
In Block all mode, no external resources (images, iframes, scripts, stylesheets, fonts, media) are loaded. Only inline content and data: / blob: URIs work. This is the most secure mode.
By design. An empty whitelist in Whitelist Only mode is treated the same as Block all. You must add at least one domain to start allowing external resources.
Yes. Use the *.example.com format to allow subdomains only, without allowing example.com itself.
Inline JavaScript (written in the JavaScript tab) always runs regardless of the CSP mode — it is explicitly permitted. CSP only restricts externally loaded resources like remote scripts, stylesheets, images, and iframes.
Yes. Enable Restrict editor access in the Permissions settings and add the specific users you want to allow. All other users will be blocked from opening the editor.
Yes. Access control only restricts the editor — the rendered output on the Confluence page is visible to anyone with page view access.
Yes. Confluence site administrators always have editor access regardless of the permission settings.