SharePoint Online - Allow Custom Scripts - Part One

In this blog, we will learn why we need to enable custom scripts in a SharePoint Online tenant.

Recently, my Office 365 trial expired and Microsoft suggested I apply for new developer subscription due to my usage. So, I set up a new Office 365 tenant and tried to migrate my test content from the old tenant to the new one. But there, I got an issue that the new tenant has custom scripts disabled.
 

Analysis

 
When I searched for this, I found out that because of new modern site functionality, Microsoft had to make changes in their environment and now, each new tenant comes with scripting functionality disabled.
 
The reason behind disabling is that allowing JavaScript injection is a big security concern. See the below high level point that Microsoft provided:
  • Every script that runs in a SharePoint page always runs in the context of the user visiting the page and the SharePoint application. Scripts have access to everything the user has access to. With enough access, you can even delete site collections in the back end without the end user knowing about it.
  • You can't audit the insertion of scripts; once you allow scripting, you can't identify what code has been inserted or where the code has been inserted or who inserted the code.
  • You can't block or remove the inserted script. If you've allowed custom script, you can change the setting to later prevent users from adding custom script, but you can't block the execution of a script that has already been inserted.
Why do we need to enable it when Microsoft has disabled scripting in the first place? Here are some of the reasons.
  • The main issue I faced is that users won't be able to copy items between SharePoint sites and between OneDrive and SharePoint.
  • You are not allowed to save the site or list templates.
  • The solution gallery won't work. If you are using any sandbox solution, scripts are a required thing.
  • SharePoint Designer won't have full features available. Microsoft has listed that it will affect the pages and list/library forms.
  • You will not be able to upload code files with extensions .asmx, .ascx , .aspx , .htc , .jar , .master , .swf , .xap , .xsf in library.
  • Microsoft has listed the below web parts that are not allowed when scripting is disabled

    • Business Data
      • Business Data Actions
      • Business Data Item
      • Business Data Item Builder
      • Business Data List
      • Business Data Related List
      • Excel Web Access
      • Indicator Details
      • Status List
      • Visio Web Access
    • Community
      • About This Community
      • Join
      • My Membership
      • Tools
      • What's Happening
    • Content Rollup
      • Categories
      • Project Summary
      • Relevant Documents
      • RSS Viewer
      • Site Aggregator
      • Sites in Category
      • Term Property
      • Timeline
      • WSRP Viewer
      • XML Viewer
    • Document Sets
      • Document Set Contents
      • Document Set Properties
    • Forms
      • HTML Form Web Part
    • Media and Content
      • Content Editor
      • Script Editor
      • Silverlight Web Part
    • Search
      • Refinement
      • Search Box
      • Search Navigation
      • Search Results
    • Search-Driven Content
      • Catalog-Item Reuse
    • Social Collaboration
      • Contact Details
      • Note Board
      • Organization Browser
      • Site Feed
      • Tag Cloud
      • User Tasks
  • The last and most major limitation is that you can't add/edit master pages and page layouts. 

Solution

 
I got another Microsoft blog that suggested the steps to revert changes if you need the old system. So, I am sharing some of the points I discovered while setting up my tenant. I would like to give credit to Microsoft for such a detailed but simple article. Please see reference links section for URL.
 
So why did I write a blog on it? Because I just want to highlight some useful features I came across that are affected by this and if you are facing the same issues you can simply enable custom scripting. And even though the blog is detailed, it lacks some screenshots.
 
Please review my second blog on this topic for scripting code.
 

Reference Links