Forum Discussion

Cameron Monks's avatar
Cameron Monks
Brass Contributor
Jan 30, 2017
Solved

HTML Field Security - Group Sites

Hello all   I am having issues embeding an iframe into the content embed webpart on an office 365 group site. When trying to embed iframes I am getting the following error:   Clicking on th...
Office 365 Groups
  • VesaJuvonen's avatar
    VesaJuvonen
    Jan 30, 2017

    This relates on the "noscript" or script capability support. You would get similar result when noscript would be enabled on classic team site. Here's the pointer from the following support article.

     

    HTML Field Security - No longer available in Library Settings. - You can still use HTML field security that you set up before scripting was disabled.

     

    https://support.office.com/en-us/article/Turn-scripting-capabilities-on-or-off-1f2c515f-5d7e-448a-9fd7-835da935584f?ui=en-US&rs=en-US&ad=US

     

    Using iFrame has been classicfied as JavaScript injection security challenge and it's disabled for the content areas when noscript is enabled. NoScript setting is enabled by default for Office 365 Groups / Modern team sites and you cannot disable that. When site has scripting capabilities disabled, all scenarios where user can inject script to be executed on behalf of the user, without administrative concent, are being disabled. Custom SharePoint Framework web parts are approved by administrator(s), so they do work on the modern sites.

jcgonzalezmartin's avatar
jcgonzalezmartin
MVP
Jan 30, 2017

This is another great example of something that's required when working with modern sites / group sites and surprisingly is not possible to enable / disable. I'm not sure if this setting can be currently changed using Client Side Object Model (CSOM) so I will add here VesaJuvonen for comments and also cfiessinger ssquires and LincolnDeMaris so they can be aware of this issue.

  • VesaJuvonen's avatar
    VesaJuvonen
    Icon for Microsoft rankMicrosoft
    Jan 30, 2017

    This relates on the "noscript" or script capability support. You would get similar result when noscript would be enabled on classic team site. Here's the pointer from the following support article.

     

    HTML Field Security - No longer available in Library Settings. - You can still use HTML field security that you set up before scripting was disabled.

     

    https://support.office.com/en-us/article/Turn-scripting-capabilities-on-or-off-1f2c515f-5d7e-448a-9fd7-835da935584f?ui=en-US&rs=en-US&ad=US

     

    Using iFrame has been classicfied as JavaScript injection security challenge and it's disabled for the content areas when noscript is enabled. NoScript setting is enabled by default for Office 365 Groups / Modern team sites and you cannot disable that. When site has scripting capabilities disabled, all scenarios where user can inject script to be executed on behalf of the user, without administrative concent, are being disabled. Custom SharePoint Framework web parts are approved by administrator(s), so they do work on the modern sites.

    • Cameron Monks's avatar
      Cameron Monks
      Brass Contributor
      Feb 02, 2017

      VesaJuvonen or anyone else that may be able to help, is my understanding correct, that we can acheive what we need by creating a Custom SharePoint Framework web part?

       

      I haven't been able to find much info regarding this, could you point me to a tutorial how we could acheive this?

       

      Appreciate it.

       

      Thanks 

      • John Jordan's avatar
        John Jordan
        Copper Contributor
        Apr 13, 2017

        I just got a response from Microsoft Support and they were able to provide a method to resolve this.

        Connect to sharepoint online powershell:

        connect-sposervice -url https://YourTenant-admin.sharepoint.com

        set-sposite https://yourTenant.sharepoint.com/sites/GroupSiteUrl -DenyAddAndCustomizePages $false

         

        Then, navigate directly to the settings page for the group and you will see the 'HTML Field Security' option which you can modify:

        https://yourTenant.sharepoint.com/sites/GroupSiteUrl/_layouts/settings.aspx

         

        You will have to be an owner of the group to be able to see the settings page.

        And, I'm not sure what permissions are required to run that powershell - Tenant Admin or Sharepoint Admin I'd assume (I'm tenant admin)

    • Uwe Sachweh's avatar
      Uwe Sachweh
      Copper Contributor
      Feb 01, 2017

      the interesting point is that Iframes like

       

      <iframe width="560" height="315" src="https://www.youtube.com/embed/RmEeIfgtoGI" frameborder="0" allowfullscreen></iframe>

       

      working fine.

       

       But Videos from https://support.office.com/en-us/article/Video-Create-files-and-folders-in-OneDrive-for-Business-e1f59717-2f02-494d-93c6-8ef9613e82ba?ui=en-US&rs=en-US&ad=US#ID0EAABAAA=Transcript like

       

      <iframe src="//videoplayercdn.osi.office.net/hub/?csid=ux-cms-en-us-msoffice&uuid=e8be6aa5-8dff-4094-a5fa-de24a521ee1d&AutoPlayVideo=true&height=550&width=980" frameborder= "0" marginwidth= "0" marginheight= "0" scrolling= "no" allowfullscreen= "" style="width: 980px; height: 550px;"></iframe>

       

      are blocked.

    • Cameron Monks's avatar
      Cameron Monks
      Brass Contributor
      Jan 30, 2017

      VesaJuvonen so the short answer is the only way to embed a simple iframe is to build a Custom SharePoint Framework web part for it?

       

      Seems a bit limiting considering all the functionality is already there...

       

      Thanks

Resources