HTML Macros Fail after Upgrading to 3.4 or Later Due to External URL References to Local Resources

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Symptoms

After upgrading Confluence from previous versions to 3.4 or above, javascript includes and HTML macros that reference external mechanisms fail.

Example codes:

1 2 3 4 {html} <script src=http://<server base URL>/download/attachments/xxxxxx/"> {html}

or

1 2 3 4 5 6 7 8 9 10 11 {html} <applet width=300 height=600 archive="xxxx.jar, code="com.atlassian.someclass.class" codebase="http://<server base URL>/download/attachments/xxxxxx/"> ..... </applet> {html}

Cause

This is caused by Tomcat not allowing 'include' script and applet URL references to prevent possible XSRF and session hijacking. External source references will be cause tomcat to redirect the request to the login page. This will cause a failure to load the URL specified in the src parameter.

Workaround

Create a dedicated Apache HTTP server or new context within Tomcat (separate from Confluence), and use these to host the external javascript files or class jar files.

Resolution

Edit the Tomcat server.xml file. Under the context attribute, remove the words:

1 2 useHttpOnly="true"

Before removing this, please consider there are security implications as per this Tomcat bug report.

Updated on April 15, 2025

Still need help?

The Atlassian Community is here for you.