SharePoint Online Allow custom scripts - Part 1

Recently my office 365 trial expire and Microsoft suggests me to apply for new developer subscription due to my usage. So I set up a new office 365 tenant and try to migrate my test content from old tenant to new. But there I get an issue. The issue was the new tenant has custom scripts disabled.

Analysis:

When I searched for same, I found out due to a new modern site functionality Microsoft has to make changes in their environment and now each new tenant comes with scripting functionality disabled.


The reason behind disablening is that allowing javascript injection is big security concern. See below high level point that Microsoft provided:

• Every script that runs in a SharePoint page always runs in the context of the user visiting the page and the SharePoint application. Scripts have access to everything the user has access to. With enough access, you can even delete site collection in back end while end user didn't know about it.
• You can't audit the insertion of script.once you allow scripting, you can't identify What code has been inserted or Where the code has been inserted or Who inserted the code.
• You can't block or remove inserted script. If you've allowed custom script, you can change the setting to later prevent users from adding custom script, but you can't block the execution of script that has already been inserted.

Why do we need to enable it when Microsoft has disabled scripting in the first place? Here are some of the reasons:

• The main issue I face - users won't be able to copy items between SharePoint sites and between OneDrive and SharePoint
• You are not allowed to save the site or list templates.
• The solution gallery won't work. If you are using any sandbox solution then this is the required thing.
• SharePoint Designer won't have full features available. Microsoft has listed that it will affect pages and list/library forms.
• You will not able to upload code files with extensions .asmx, .ascx , .aspx , .htc , .jar , .master , .swf , .xap , .xsf in library.


• Microsoft has listed below web parts that are not allowed when scripting is disabled
• Business Data
• Business Data Actions
• Business Data Item
• Business Data Item Builder
• Business Data List
• Business Data Related List
• Excel Web Access
• Indicator Details
• Status List
• Visio Web Access
• Community
• About This Community
• Join
• My Membership
• Tools
• What's Happening
• Content Rollup
• Categories
• Project Summary
• Relevant Documents
• RSS Viewer
• Site Aggregator
• Sites in Category
• Term Property
• Timeline
• WSRP Viewer
• XML Viewer
• Document Sets
• Document Set Contents
• Document Set Properties
• Forms
• HTML Form Web Part
• Media and Content
• Content Editor
• Script Editor
• Silverlight Web Part
• Search
• Refinement
• Search Box
• Search Navigation
• Search Results
• Search-Driven Content
• Catalog-Item Reuse
• Social Collaboration
• Contact Details
• Note Board
• Organization Browser
• Site Feed
• Tag Cloud
• User Tasks
• Last limitation and the major one is you can't add/edit master pages and page layouts.

Solution:

I got another Microsoft blog that suggests what are the steps to revert changes if you need the old system. So I am sharing some of the points I discovered while setting up my tenant. I would like to give credit to Microsoft for such a detailed but simple article. Please see refernce links section for URL.

So why am I writing a blog on it? Because I just want to highlight some useful features I came across that are affected by this and if you are facing the same issues you can simply enable custom scripting. And even though the blog is detailed, it lacks some screenshots.

Please review my second blog on this topic for scripting code.

Reference Links

• Security concern with Jquery injection
• Allow or prevent custom script