Configure HTML Field Security in SharePoint Online
Requirement: Configure HTML Field Security in SharePoint Online.
HTML Field Security in SharePoint Online:
IFrames can lead to JavaScript injection attacks. Hence, We have a security precaution in SharePoint Online to allow embedding scripts only from trusted domains. If you try to add an embed script from any other site, You’ll get an error message: “Embedding content from this website isn’t allowed, but your admin can change this setting. They will need to add ‘www.videodomain.com’ to the list of sites that are allowed.”
Add Trusted Domain to HTML Field Security List:
SharePoint Online comes with a default list of websites from which content can be displayed. You can add or remove sites from this list. To add a site to the trusted sites list to embed IFrame, follow these steps:
- Go to Your SharePoint Online Site Collection >> Site Settings >> Click on “HTML Field Security” under Site Collection Administration
- Set the “Allow contributors to insert iframes only from the following domains” option.
- Add your custom video domain to the list and click on “OK” to save your changes.
Please note, the custom script must be turned ON to get the “HTML Field Security” link in site settings! Use: “Set-SPOsite https://Tenant.sharepoint.com/ -DenyAddAndCustomizePages 0” to enable scripts for your SharePoint Online site. More info here: How to Enable Custom Scripts in SharePoint Online?
HTML Field Security in SharePoint Online using PowerShell
You can configure the HTML Field security’s trusted sites list through PnP PowerShell:
#Set Variables
$SiteURL = "https://Crescent.sharepoint.com/sites/marketing"
#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Interactive
#Get the Site
$Site = Get-PnPSite -Includes CustomScriptSafeDomains
#Add domain
$Domain = [Microsoft.SharePoint.Client.ScriptSafeDomainEntityData]::new()
$Domain.DomainName = "products.crescent.com"
$Site.CustomScriptSafeDomains.Create($Domain)
Invoke-PnPQuery
How can this be done now the Site Collection page has been depricated in SPO?
Is it possible to show the code that would remove urls as well?
Hello! Is it possible, in SP2019, to specify in the pnp provisioning template to set the HTML field security to “Allow from any domain”?