Restrictions On Custom Javascript In Sharepoint Online

ByThe SharePoint FAQs Team

What is Custom JavaScript?

Custom JavaScript refers to any JavaScript code that is manually inserted into SharePoint pages to modify or enhance default functionality. This includes JavaScript inserted through content editor web parts, script editor web parts, or directly using other web parts’ script injection capabilities.

Common uses of custom JavaScript in SharePoint include:

  • Dynamically modifying SharePoint interface elements like ribbons and menus
  • Integrating rich media content like sliders, animations, etc.
  • Connecting to external data sources to display custom dashboards and reports
  • Adding interactivity and advanced logic to SharePoint forms and pages

Why Restrict Custom JavaScript?

Allowing unlimited custom JavaScript poses security risks for SharePoint Online tenants. Unregulated JavaScript often utilizes dangerous APIs or introduces vulnerabilities that can be exploited by attackers.

Recently, Microsoft has started enforcing tighter restrictions around custom JavaScript in SharePoint Online pages and sites. Some key factors driving this policy change:

  • Prevent injection attacks that allow takeover of user sessions and access to data
  • Block unsafe JavaScript calls that corrupt page integrity
  • Reduce performance impact of unchecked JavaScript executions
  • Improve security scanning of script loaded in SharePoint pages

What JavaScript APIs are Restricted?

Microsoft has identified certain JavaScript APIs and functions commonly misused in exploit attacks. Usage of these APIs is now blocked in SharePoint Online pages or severely restricted:

  • Dynamic code evaluation APIs like eval, setTimeout, setInterval prohibited
  • Inline code injections using document.write or innerHTML not allowed
  • Calls to external web endpoints using XHR requests must be approved domains
  • Sensitive DOM access functions like createElement and appendChild blocked
  • Unsafe jQuery methods like $().html() and $.parseXML() also banned

For example, code like below integrating external YouTube video would fail due to restricted API usage:

$("#videoContainer").html(`
  <iframe src="https://www.youtube.com/embed/...
`);

How to Check if Your Scripts Are Impacted

With these sweeping restrictions blocking commonly used APIs, most existing custom JavaScript code will break. As a developer, tools are available to analyze your current scripts:

Manual Code Analysis

Manually review all custom JavaScript files and scan for blocked APIs. This includes code embedded in script editor web parts. Watch for dynamic code executions, external requests, DOM modifications, unsafe jQuery, etc.

For example, replace:

let iframe = document.createElement('iframe'); 
div.appendChild(iframe);

With:

  
let iframe = '<iframe></iframe>';
div.innerText = iframe;

JS Scanner Extensions

Microsoft developed a JSScanner extension for Visual Studio Code to automatically detect problematic APIs. Install this extension and scan your projects to uncover issues. Other JS scanners like Checkmarx AST also available.

Fix scanner errors by avoiding flagged APIs and rewriting risky JavaScript. Repeat scans until code passes security checks.

Alternatives for Customization

Given limited JavaScript capabilities now imposed, alternative options to customize SharePoint without coding include:

Content Editor Web Part

Leverage out-of-the-box content editor web parts to insert simplified HTML and CSS for styling changes without scripts. Limited dynamic logic can be added using SharePoint columns and view formatting.

<style>
  button {
    background-color: #dc3545; 
  }
</style>

Power Platform Solutions

Explore no-code customization options like Power Apps and Power Automate instead of JavaScript. Connect these solutions to SharePoint lists and libraries for CRUD operations and workflows.

For example, build Power Apps forms, flows for business processes, dashboards over SharePoint data, and more without coding.

Modern Web Parts

Refractor existing script web parts to secure SPFx client-side web parts. These modern web parts follow recommended development guidelines and avoid restricted APIs.

Utilize React, Angular, Vue.js and other approved frameworks for custom web parts needs.

Summary

Managing security risks associated with custom JavaScript is driving Microsoft to limit unsupported scripts in SharePoint Online. Many commonly used JavaScript APIs and methods now trigger access denied errors.

As a developer, audit your existing JavaScript for violations flagged by tools like the JSScanner. Refactor any unsafe code using approved techniques like content editor web parts, Power Platform, and modern SPFx web parts. Stay updated on evolving customization policies enforced by Microsoft.

Leave a Reply

Your email address will not be published. Required fields are marked *