Adding an Embed Web Part in a Modern SharePoint Online Page
This is something which has come up in several contexts in the last few months, so I figured I’d put virtual pen to virtual paper and record it for future me and all of you.
If you’ve ever tried to embed content from an external source in a SharePoint page using the Embed Web Part, you may have gotten an error similar to this:
Embedding content from this website isn’t allowed, but your admin can change this setting. They will need to add ‘<specific URL>’ to the list of sites that are allowed.
It looks something like the screenshot below. It doesn’t matter if it’s a “bare” URL or you’ve encased the URL in an iframe explicitly, like I have below.
When you use the Embed Web Part, SharePoint takes the URL you provide and wraps it in an iframe. An iframe is a way for the browser to display the content inline but protect the page from any malicious actions the embedded site might try to take when it loads. Think of it like displaying a scorpion in a glass box. The scorpion may not have any venom, but since you don’t really know, you leave it in the box. You can see it just fine, but it can’t hurt you.
It turns out the links below the error explain the solution, but I had never clicked those links and read the details! In fact, unless it was years ago, I’ve just ignored the setting we need to solve this.
If you’d like to embed content from a URL, you’ll need to make sure you’ve added the domain name in the site settings. To do this, click on the cog / Site information / View all site settings / HTML Field Security. Here, you can add the domains you’d like to allow to be embedded.
Microsoft provides a default set of common domains, which as of this writing and in my tenant is the following. It’s a bit of an archeology lesson to read through them all!
- youtube.com
- youtube-nocookie.com
- player.vimeo.com
- bing.com
- office.microsoft.com
- officeclient.microsoft.com
- store.office.com
- skydrive.live.com
- powerbi.com
- powerbigov.us
- sway.com
- docs.com
- microsoftstream.com
- powerapps.com
- flow.microsoft.com
- powerapps.us
- flow.microsoft.us
- app.smartsheet.com
- publish.smartsheet.com
- www.slideshare.net
- youtu.be
- read.amazon.com
- onedrive.live.com
- www.microsoft.com
- forms.office365.us
- support.office.com
- embed.ted.com
- channel9.msdn.com
- forms.office.com
- videoplayercdn.osi.office.net
- sway.office.com
- linkedin.com
- web.yammer.com
- customervoice.microsoft.com
You can add the domain you’d like to use in the settings. Once you’d added it to the site, you can embed content from that domain – including its subdomains – in the site with the Embed Web Part.
Note that this is a per site setting. If you want to embed content from the same domain in multiple sites, you’ll need to add it to each site. As far as I know, there’s no programmatic way to add a domain across sites, but I could be mistaken about this.
If you’re feeling loosey-goosey, you could change the setting to allow embeds from any domain, but you may not want to do that for security reasons.
Finally, you must be a Site Owner to change these settings. If you don’t have access to this setting, you’ll need to get help from someone who does.
Update 2022-06-07 – Thanks to El_Topo for the comment that we can programmatically update these settings. It led me to an article from Chris Kent (@theChrisKent) entitled Extending the List of Sites You Can Embed From in SharePoint Using PowerShell which explains how to do so. Sometimes I’m the last to know!
There is a programmatic way to modify this list. Look for CustomScriptSafeDomains property of site object in CSOM.
Thanks! I’ll update the post accordingly.
@Marc Great share!