Configure HTML Field Security in SharePoint Online
Requirement: Configure HTML Field Security in SharePoint Online.
HTML Field Security in SharePoint Online:
IFrames can lead to JavaScript injection attacks. Hence, We have a security precaution in SharePoint Online to allow embedding scripts only from trusted domains. If you try to add an embed script from any other site, You’ll get an error message: “Embedding content from this website isn’t allowed, but your admin can change this setting. They will need to add ‘www.videodomain.com’ to the list of sites that are allowed.”
Add Trusted Domain to HTML Field Security List:
SharePoint Online comes with a default list of websites from which content can be displayed. You can add or remove sites from this list. To add a site to the trusted sites list to embed IFrame, follow these steps:
- Go to Your SharePoint Online Site Collection >> Site Settings >> Click on “HTML Field Security” under Site Collection Administration (URL Shortcut: /_layouts/15/HtmlFieldSecurity.aspx)
- Set the “Allow contributors to insert iframes only from the following domains” option.
- Add your custom video domain to the list and click on “OK” to save your changes.
HTML Field Security link is missing?
Please note that you must be a Site Collection Administrator, and the custom script must be turned ON to get the “HTML Field Security” link in site settings! Use: “Set-SPOsite https://Tenant.sharepoint.com/ -DenyAddAndCustomizePages 0” to enable scripts for your SharePoint Online site. More info here: How to Enable Custom Scripts in SharePoint Online?
HTML Field Security in SharePoint Online using PowerShell
You can configure the HTML Field security’s trusted sites list through PnP PowerShell:
#Set Variables
$SiteURL = "https://Crescent.sharepoint.com/sites/marketing"
#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Interactive
#Get the Site
$Site = Get-PnPSite -Includes CustomScriptSafeDomains
#Add domain
$Domain = [Microsoft.SharePoint.Client.ScriptSafeDomainEntityData]::new()
$Domain.DomainName = "products.crescent.com"
$Site.CustomScriptSafeDomains.Create($Domain)
Invoke-PnPQuery
Conclusion
HTML fields in SharePoint Online provide a powerful way to create rich and dynamic content, but they also introduce potential security risks. By understanding these risks and implementing best practices for HTML field security, organizations can protect their sensitive data and maintain a secure SharePoint environment. Be sure to configure it so that you can strike a balance between allowing informative embeds and protecting your users from potential security risks.
Remember, it’s advisable to only add trusted domains to the list and avoid enabling embedding from all sites entirely. Additionally, use Content Editor Web Parts sparingly, implement Content Security Policy, keep your SharePoint environment updated, and establish processes for monitoring and responding to security incidents. By understanding the potential risks associated with HTML fields, such as cross-site scripting (XSS) attacks, and implementing the recommended security practices, you can effectively mitigate these threats.
Go to Your SharePoint Online Site Collection >> Site Settings >> Click on “HTML Field Security” under Site Collection Administration
Is it too much to ask to have a screenshot ?
If you don’t see this link – Chances are: You may not have the “Site collection Administrator” rights or custom scripts is disabled!
How can this be done now the Site Collection page has been depricated in SPO?
Is it possible to show the code that would remove urls as well?
Hello! Is it possible, in SP2019, to specify in the pnp provisioning template to set the HTML field security to “Allow from any domain”?