Forum Discussion
HTML Field Security - Group Sites
This relates on the "noscript" or script capability support. You would get similar result when noscript would be enabled on classic team site. Here's the pointer from the following support article.
HTML Field Security - No longer available in Library Settings. - You can still use HTML field security that you set up before scripting was disabled.
Using iFrame has been classicfied as JavaScript injection security challenge and it's disabled for the content areas when noscript is enabled. NoScript setting is enabled by default for Office 365 Groups / Modern team sites and you cannot disable that. When site has scripting capabilities disabled, all scenarios where user can inject script to be executed on behalf of the user, without administrative concent, are being disabled. Custom SharePoint Framework web parts are approved by administrator(s), so they do work on the modern sites.
This is another great example of something that's required when working with modern sites / group sites and surprisingly is not possible to enable / disable. I'm not sure if this setting can be currently changed using Client Side Object Model (CSOM) so I will add here VesaJuvonen for comments and also cfiessinger ssquires and LincolnDeMaris so they can be aware of this issue.
MicrosoftThis relates on the "noscript" or script capability support. You would get similar result when noscript would be enabled on classic team site. Here's the pointer from the following support article.
HTML Field Security - No longer available in Library Settings. - You can still use HTML field security that you set up before scripting was disabled.
Using iFrame has been classicfied as JavaScript injection security challenge and it's disabled for the content areas when noscript is enabled. NoScript setting is enabled by default for Office 365 Groups / Modern team sites and you cannot disable that. When site has scripting capabilities disabled, all scenarios where user can inject script to be executed on behalf of the user, without administrative concent, are being disabled. Custom SharePoint Framework web parts are approved by administrator(s), so they do work on the modern sites.
VesaJuvonen or anyone else that may be able to help, is my understanding correct, that we can acheive what we need by creating a Custom SharePoint Framework web part?
I haven't been able to find much info regarding this, could you point me to a tutorial how we could acheive this?
Appreciate it.
Thanks
I just got a response from Microsoft Support and they were able to provide a method to resolve this.
Connect to sharepoint online powershell:
connect-sposervice -url https://YourTenant-admin.sharepoint.com
set-sposite https://yourTenant.sharepoint.com/sites/GroupSiteUrl -DenyAddAndCustomizePages $false
Then, navigate directly to the settings page for the group and you will see the 'HTML Field Security' option which you can modify:
https://yourTenant.sharepoint.com/sites/GroupSiteUrl/_layouts/settings.aspx
You will have to be an owner of the group to be able to see the settings page.
And, I'm not sure what permissions are required to run that powershell - Tenant Admin or Sharepoint Admin I'd assume (I'm tenant admin)
So is what you're saying the solution for this is from Microsoft support, is that you have to run a powershell command to grant permission for a single Group Site to have that capability? If there were more than one you would have to run that site by site?
What if you wanted to turn it on for all Group Sites?
- VesaJuvonen
We just updated the SPFx tutorials and here's announcement on them from last week.
- David Rosenthal
Your link has a space on the end of it VesaJuvonen :)
the interesting point is that Iframes like
<iframe width="560" height="315" src="https://www.youtube.com/embed/RmEeIfgtoGI" frameborder="0" allowfullscreen></iframe>
working fine.
But Videos from https://support.office.com/en-us/article/Video-Create-files-and-folders-in-OneDrive-for-Business-e1f59717-2f02-494d-93c6-8ef9613e82ba?ui=en-US&rs=en-US&ad=US#ID0EAABAAA=Transcript like
<iframe src="//videoplayercdn.osi.office.net/hub/?csid=ux-cms-en-us-msoffice&uuid=e8be6aa5-8dff-4094-a5fa-de24a521ee1d&AutoPlayVideo=true&height=550&width=980" frameborder= "0" marginwidth= "0" marginheight= "0" scrolling= "no" allowfullscreen= "" style="width: 980px; height: 550px;"></iframe>
are blocked.
VesaJuvonen so the short answer is the only way to embed a simple iframe is to build a Custom SharePoint Framework web part for it?
Seems a bit limiting considering all the functionality is already there...
Thanks
