Forum Discussion
Solved
HTML Field Security - Group Sites
Hello all
I am having issues embeding an iframe into the content embed webpart on an office 365 group site. When trying to embed iframes I am getting the following error:
Clicking on the guidance link takes me to the following URL which explains the steps for changing iframe settings. This works fine on a standard team site, however the HTML Field Security link is missing from the menu.
If you attemt to go straight to the URL (https://interpodoffsite.sharepoint.com/sites/<sitename>/_layouts/15/HtmlFieldSecurity.aspx), it goes to an "Access Required" page. I am a group owner.
Is there any way to get to this page, or change the settings another way (powershell etc)?
Thanks!
This relates on the "noscript" or script capability support. You would get similar result when noscript would be enabled on classic team site. Here's the pointer from the following support article.
HTML Field Security - No longer available in Library Settings. - You can still use HTML field security that you set up before scripting was disabled.
Using iFrame has been classicfied as JavaScript injection security challenge and it's disabled for the content areas when noscript is enabled. NoScript setting is enabled by default for Office 365 Groups / Modern team sites and you cannot disable that. When site has scripting capabilities disabled, all scenarios where user can inject script to be executed on behalf of the user, without administrative concent, are being disabled. Custom SharePoint Framework web parts are approved by administrator(s), so they do work on the modern sites.
This is another great example of something that's required when working with modern sites / group sites and surprisingly is not possible to enable / disable. I'm not sure if this setting can be currently changed using Client Side Object Model (CSOM) so I will add here VesaJuvonen for comments and also cfiessinger ssquires and LincolnDeMaris so they can be aware of this issue.
- VesaJuvonen
Microsoft
This relates on the "noscript" or script capability support. You would get similar result when noscript would be enabled on classic team site. Here's the pointer from the following support article.
HTML Field Security - No longer available in Library Settings. - You can still use HTML field security that you set up before scripting was disabled.
Using iFrame has been classicfied as JavaScript injection security challenge and it's disabled for the content areas when noscript is enabled. NoScript setting is enabled by default for Office 365 Groups / Modern team sites and you cannot disable that. When site has scripting capabilities disabled, all scenarios where user can inject script to be executed on behalf of the user, without administrative concent, are being disabled. Custom SharePoint Framework web parts are approved by administrator(s), so they do work on the modern sites.
VesaJuvonen or anyone else that may be able to help, is my understanding correct, that we can acheive what we need by creating a Custom SharePoint Framework web part?
I haven't been able to find much info regarding this, could you point me to a tutorial how we could acheive this?
Appreciate it.
Thanks
