Configure HTML Field Security in SharePoint Online

Requirement: Configure HTML Field Security in SharePoint Online

HTML Field Security in SharePoint Online:
IFrames can lead to JavaScript injection attack, hence We've a security precaution in SharePoint Online to allow embed scripts only from trusted domains. If you try to add embed script from any other site, You'll get an error message: "Embedding content from this website isn't allowed, but your admin can change this setting. They will need to add 'www.videodomain.com' to the list of sites that are allowed."

Add Trusted Domain to HTML Field Security List:
SharePoint Online comes with a default list of web sites from which content can be displayed. You can add or remove sites in this list. To add a site to trusted sites list to embed IFrame, follow these steps:
  • Go to Your SharePoint Online Site Collection >> Site Settings >> Click on "HTML Field Security" under Site Collection Administration 
  • Set "Allow contributors to insert iframes only from the following domains" option. 
  • Add your custom video domain to the list and Click on "OK" to save your changes.
Please note, custom script must be turned ON to get "HTML Field Security" link in site settings! Use: "Set-SPOsite https://Tenant.sharepoint.com/ -DenyAddAndCustomizePages 0" to enable scripts for your SharePoint Online site. More info here: How to Enable Custom Scripts in SharePoint Online?

HTML Field Security in SharePoint Online using PowerShell?
You can configure the HTML Field security's trusted sites list through PnP PowerShell
#Set Variables
$SiteURL = "https://crescentintranet.sharepoint.com/sites/marketing"

#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -UseWebLogin

#Get the Site
$Site = Get-PnPSite –Includes CustomScriptSafeDomains  

#Add domain
$Domain = [Microsoft.SharePoint.Client.ScriptSafeDomainEntityData]::new()
$Domain.DomainName = "products.crescent.com"
$Site.CustomScriptSafeDomains.Create($Domain)
Invoke-PnPQuery

1 comment:

  1. Hello! Is it possible, in SP2019, to specify in the pnp provisioning template to set the HTML field security to "Allow from any domain"?

    ReplyDelete

Please Login and comment to get your questions answered!

Powered by Blogger.