Custom Script in SharePoint Online Revisited

By -

The PnP community has become a valuable resource for documentation, sample code, and overall collaboration for all things Microsoft.

If you've worked with Office/Microsoft 365, odds are that you've bumped into at least one community-driven component.

Here are a few examples:

Modern Script Editor

SPFx web part that allows the embedding custom html/js/css into a modern page.
Set of web parts that allow a more customized search experience, which fills some of the gaps left by the highlighted content out-of-the-box web part. Additional background here.
One of the many example json styles for customizing content rendering in SharePoint. In this case, it sets a static, customized header instead of the default view header. List formatting has many samples to showcase different customization options.


In the meantime, Microsoft is on track to add a few new things, while shutting down a few others.

Microsoft has announced deprecations for older active directory modules AzureAD, AzureAD Preview and MSOnline.

Also undergoing deprecation is the Azure Access Control Services or ACS.

Deprecation announcements give us a time horizon to be able to understand exactly what will happen and when and the difference between deprecation (potentially disable the feature by default but allow it) and retirement (feature becomes unavailable).

Microsoft has also announced recently via the Message Centre MC714186 that the ability to run custom scripts (which can currently be opened via DenyAddAndCustomizePages property) will be sort of taken away. While Modern Pages already forbid the direct usage of custom script, there are a number of scenarios where custom script can be enabled in order to perform certain operations. the Modern Script Editor web part is one such scenario. The web part currently requires custom script to be enabled at the site level in order to function.

Set-SPOSite -Identity https://contoso -DenyAddAndCustomizePages $false


What exactly are the changes being introduced?

It's safe to assume that the intention is to ensure additional security by disabling any custom script execution. Microsoft plans to disable custom scripts for all new and existing sites and even if the setting is changed, it will be reverted again within 24 hours.

From the Message Centre:

The Custom Script setting in SharePoint and OneDrive will be removed by early-May 2024. A new PowerShell command, DelayDenyAddAndCustomizePagesEnforcement, will allow administrators to delay the change until mid-November 2024. The NoScriptSite setting will be configured to True for all existing sites except for specific site templates. Existing scripts in OneDrive and SharePoint sites will not be affected. Administrators can still permit the execution of custom scripts on specific sites using the Set-SPOSite command or from the Active sites page in the SharePoint Admin Center.

Any modifications made to a site will be automatically reverted to False status within 24 hours, unless the new PowerShell command “DelayDenyAddAndCustomizePagesEnforcement” is used prior to mid-November 2024 (previously May). After mid-November, the 24 hour reversion will occur regardless of this setting. 

The NoScriptSite setting will be configured to True for all existing SharePoint sites and OneDrive sites except for below mentioned sites templates.

BLANKINTERNETCONTAINER#0 = Classic Publishing Portal site

CMSPUBLISHING#0 = Publishing Site

BLANKINTERNET#0 = Publishing Site

GROUP#0 = Team site

APPCATALOG#0 = App Catalog

CSPCONTAINER#0 = CSP Container


What are my options?

From a pragmatical point of view, there are a number of options ranging from best practice to "ok" to "dirty hack" to "just don't".

  • Convert each custom script to a dedicated SPFx web part

This is clearly the intended way which is suggested by Microsoft and voiced by most of those in the Microsoft community. You can read about enabling custom script here and the available alternatives here.

  • Move the script to a different site that is not covered by the change

One of the interesting things about the upcoming change is that it doesn't seem to affect all site types or all site template types. This can potentially mean that as long as you are using the Modern Script Editor - as-is, without any change - on a site of template Group#0 or another one of those in the exception list, you might still be able to run custom scripts with the combo Modern Script Editor + DenyAddAndCustomizePages.

  • Change the Modern Script Editor to function without custom script enabled

The Modern Script Editor web part is compiled with a flag (requiresCustomScript) that forces custom script to be enabled in order for the web part to work. This is a sort of security protection because it forces you to change the site property instead of just blindly allow everyone to add custom script. However, the web part will function whether the setting is enabled or disabled. The problem is that in this new state of affairs, all sites script setting will be constantly disabled, which renders the web part unusable. Changing this setting (although questionable) allows having custom script disabled but still have a working modern script editor web part available for small scripts in modern pages. Clearly there are risks that should be considered and understood before going ahead with something like this.

  • Schedule the scheduler

This is probably the "less good" option of all. I personally find it very difficult to see a scenario where this would make sense (but who am I to judge). In this case you will basically be overriding the setting that is being overwritten by Microsoft. They disable custom scripts every 24 hours, then you go and re-enable custom scripts for your site(s), and so on and so forth.

For additional details, feel free to read the blog entry from the author himself Mikael Svenson here.

Note:

I would suggest to anyone interested in the web part to grab the code and compile it yourself.
However, it has proven useful to have the package readily available. For that reason, I will host the latest version (currently 1.0.24) of the Modern Script Editor Web Part here (no change) and here (requiresCustomScript flag changed from true to false).

Comments

Post a Comment

Popular posts from this blog

Breaking down document locking in SharePoint

By -
Image
This is a topic I've been meaning to discuss in a while. We open, change and close documents almost every day, and sometimes we collaborate with other people at the same time on those documents. SharePoint brings all co-authoring features we need, straight out-of-the-box, but sometimes, there are problems. While things are starting to look better on the cloud side, the concept of document locking is still very much up-to-date and understanding how it works and what to do when things go wrong is crucial. In an article that has since disappeared the Microsoft Knowledge Base (but still available here ), Microsoft explains it best: When a document is opened by a client program, Windows SharePoint Services puts a write lock on the document on the server. The write lock times out after 10 minutes. Users cannot modify the document during the time when the document is locked. In a scenario where the program that opens the document unexpectedly quits or crashes and you try to open the do
Read more

Working around X-Frame-Options for iframes

By -
Image
The problem: One of the first things we noticed after migrating to SharePoint 2013 was that our iframes have stopped working, giving the error: "Refused to display 'http://contoso/pages/home.aspx' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'." Quickly we could see that this is in fact a security mechanism to prevent click-jacking and others: "The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame or iframe. Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites." Soon we realized that, starting SharePoint 2013, an HTTP Module is adding the header " X-Frame-Options " by default, with the value " SAMEORIGIN ". This is effectively preventing the rendering of pages outside the scope of the current web application. The (attempted) solution: So what to do?
Read more

Document ID not being generated

By -
Image
Problem In a scenario where we have many document Content Types, we may want to enable Document ID - aka "Permanent Links" - which is a feature in SharePoint that assigns a specific ID for each document. That ID never changes even if the document is renamed or moved to another location. In this scenario, the Document ID field was being generated for some libraries/content types, but not others, which is a surprisingly common problem. Background There are several stages we need to go through to enable use this mechanism. Stage 1 We enable the feature in the Site Collection Features. Stage 2 Under Site Collection Administration > Document ID Settings, we need to enable the assignment and pick a prefix. The IDs use the format: PREFIX-LISTID-LISTITEMID ( ref ) Where: PREFIX: the preconfigured prefix for the site collection, which can be any set of numbers and letters between 4-12 characters LISTID: the property docid_msft_hier_listid of the list
Read more