Jonathan Pusinelli why is Atlassian making it difficult? It seems you make HTML and host it on your own site. Why not zip that HTML and send it to an upload endpoint hosted by the customer?

Martin Cleaver not quite - we're embedding the original Confluence page in an iframe, and therefore need Atlassian to allowlist domains that this iframe will load under. That's done for wikipage.io, but so far they have declined doing it on an individual basis.

Jonathan Pusinelli Thanks.

Ok, I didn't realize that it's doing live delivery from Confluence. Could it work if we set up a proxy on e.g. AWS?

Jonathan Pusinelli - in my case, the domain (wolfond.org) is already in Atlassian's allow list as I put Confluence on a subdomain (www.community.wolfond.org) of it.

So, they simply need to permit your iframe to load under e.g. www.public.wolfond.org

That's not much to ask, and strengthen's their proposition for selling Premium.

Martin Cleaver you're right, with Atlassian having implemented custom domains for Confluence, it seems reasonable to use the same allowlist for our app. We have tried using that argument, to no avail. I assume the complexity is in implementing this for embedded pages specifically, where you'd need both app and tenant isolation (- so that not everybody using embedded pages has the allowlist of Spacecraft, and not every tenant of Spacecraft has the allowlist of any other tenant of Spacecraft). There is a public feature request that you can access at https://jira.atlassian.com/browse/CONFCLOUD-79375.

As for using a proxy, I believe the same CSP restrictions would apply. The restrictions are enforced by the browser, and if the domain is not on the allowlist, browsers will block the iframe, even if a proxy is used.