By default all attachments that are referenced through a viewport are delivered with security settings that do not allow scripting elements to be interpreted by the browser. This protects Confluence and Scroll Viewport users from malicious files.
If you need interactive HTML attachments a Confluence administrator can disable the security settings for a specific viewport.
To do so, change the configuration of the respective viewport:
- From a space, navigate to Space tools → Apps → Scroll Viewport
- Find your viewport in the list and click Configure
- Switch to the Content tab
- Toggle advanced mode by clicking the cog icon in the upper right hand corner.
- Tick the check box Allow running scripts in attachments.
If you enable interactive HTML file attachments in a viewport every user that can upload attachments to the source space of the viewport can compromise the security of your viewport and even of your Confluence installation.
The scripts are served from the same origin and thus have the same access level as the user of the viewport.