We're encountering CSP challenges when customers use our Custom UI app in Confluence Cloud. Specifically, when users embed their own HTML containing SSRS report iframes, the content fails to load. This only happens within Forge. The same iframe works as expected in a standard browser tab.

Currently, CSP restrictions prevent third-party embedded content from displaying in Custom UI apps. We’d like to suggest considering support for the object-src directive within Forge’s external permissions model. This would help enable more flexible and secure embedding options for our customers.