Custom Script in SharePoint Online Revisited

The PnP community has become a valuable resource for documentation, sample code, and overall collaboration for all things Microsoft.

If you've worked with Office/Microsoft 365, odds are that you've bumped into at least one community-driven component.

Here are a few examples:

Modern Script Editor

SPFx web part that allows the embedding custom html/js/css into a modern page.
Set of web parts that allow a more customized search experience, which fills some of the gaps left by the highlighted content out-of-the-box web part. Additional background here.
One of the many example json styles for customizing content rendering in SharePoint. In this case, it sets a static, customized header instead of the default view header. List formatting has many samples to showcase different customization options.


In the meantime, Microsoft is on track to add a few new things, while shutting down a few others.

Microsoft has announced deprecations for older active directory modules AzureAD, AzureAD Preview and MSOnline.

Also undergoing deprecation is the Azure Access Control Services or ACS.

Deprecation announcements give us a time horizon to be able to understand exactly what will happen and when and the difference between deprecation (potentially disable the feature by default but allow it) and retirement (feature becomes unavailable).

Microsoft has also announced recently via the Message Centre MC714186 that the ability to run custom scripts (which can currently be opened via DenyAddAndCustomizePages property) will be sort of taken away. While Modern Pages already forbid the direct usage of custom script, there are a number of scenarios where custom script can be enabled in order to perform certain operations. the Modern Script Editor web part is one such scenario. The web part currently requires custom script to be enabled at the site level in order to function.

Set-SPOSite -Identity https://contoso -DenyAddAndCustomizePages $false


What exactly are the changes being introduced?

It's safe to assume that the intention is to ensure additional security by disabling any custom script execution. Microsoft plans to disable custom scripts for all new and existing sites and even if the setting is changed, it will be reverted again within 24 hours.

From the Message Centre:

The Custom Script setting in SharePoint and OneDrive will be removed by early-May 2024. A new PowerShell command, DelayDenyAddAndCustomizePagesEnforcement, will allow administrators to delay the change until mid-November 2024. The NoScriptSite setting will be configured to True for all existing sites except for specific site templates. Existing scripts in OneDrive and SharePoint sites will not be affected. Administrators can still permit the execution of custom scripts on specific sites using the Set-SPOSite command or from the Active sites page in the SharePoint Admin Center.

Any modifications made to a site will be automatically reverted to False status within 24 hours, unless the new PowerShell command “DelayDenyAddAndCustomizePagesEnforcement” is used prior to mid-November 2024 (previously May). After mid-November, the 24 hour reversion will occur regardless of this setting. 

The NoScriptSite setting will be configured to True for all existing SharePoint sites and OneDrive sites except for below mentioned sites templates.

BLANKINTERNETCONTAINER#0 = Classic Publishing Portal site

CMSPUBLISHING#0 = Publishing Site

BLANKINTERNET#0 = Publishing Site

GROUP#0 = Team site

APPCATALOG#0 = App Catalog

CSPCONTAINER#0 = CSP Container


What are my options?

From a pragmatical point of view, there are a number of options ranging from best practice to "ok" to "dirty hack" to "just don't".

  • Convert each custom script to a dedicated SPFx web part

This is clearly the intended way which is suggested by Microsoft and voiced by most of those in the Microsoft community. You can read about enabling custom script here and the available alternatives here.

  • Move the script to a different site that is not covered by the change

One of the interesting things about the upcoming change is that it doesn't seem to affect all site types or all site template types. This can potentially mean that as long as you are using the Modern Script Editor - as-is, without any change - on a site of template Group#0 or another one of those in the exception list, you might still be able to run custom scripts with the combo Modern Script Editor + DenyAddAndCustomizePages.

  • Change the Modern Script Editor to function without custom script enabled

The Modern Script Editor web part is compiled with a flag (requiresCustomScript) that forces custom script to be enabled in order for the web part to work. This is a sort of security protection because it forces you to change the site property instead of just blindly allow everyone to add custom script. However, the web part will function whether the setting is enabled or disabled. The problem is that in this new state of affairs, all sites script setting will be constantly disabled, which renders the web part unusable. Changing this setting (although questionable) allows having custom script disabled but still have a working modern script editor web part available for small scripts in modern pages. Clearly there are risks that should be considered and understood before going ahead with something like this.

  • Schedule the scheduler

This is probably the "less good" option of all. I personally find it very difficult to see a scenario where this would make sense (but who am I to judge). In this case you will basically be overriding the setting that is being overwritten by Microsoft. They disable custom scripts every 24 hours, then you go and re-enable custom scripts for your site(s), and so on and so forth.

For additional details, feel free to read the blog entry from the author himself Mikael Svenson here.

Note:

I would suggest to anyone interested in the web part to grab the code and compile it yourself.
However, it has proven useful to have the package readily available. For that reason, I will host the latest version (currently 1.0.24) of the Modern Script Editor Web Part here (no change) and here (requiresCustomScript flag changed from true to false).

Comments

Popular posts from this blog

Breaking down document locking in SharePoint

Working around X-Frame-Options for iframes

Document ID not being generated