Every now and then, I go mess around in the SharePoint object model using PowerShell to see if there are any hidden gems that could be of interest. Today, I’ve discovered a per-site collection setting called ScriptSafeDomains that contains a list of all domains from which SharePoint will allow loading scripts from. In order for you to get a list of those, you can execute the following line of PowerShell:
Get-SPSite http://<your site url> | Select ScriptSafeDomains
We can see from the figure above that default domains include youtube.com, player.vimeo.com, bing.com, etc. It seems as if this property would be some kind of a Cross-Origin Resource Sharing (CORS) white list. To test my theory, I tried the following scenario where I tried to embed a video from dailymotion.com. Using the Embed code function from the SharePoint insert ribbon, I added the following iFrame tag to my site:
We can see from the figure above that SharePoint adds the mention This HTML will be inserted in a web part, and the resulting webpart doesn’t properly allow us to play the video very well. What we need to do here is to add dailymotion.com to our list of SafeScriptDomains. In order to do this, we can execute the following lines of PowerShell:
$site = Get-SPSite http://<your site url>
Then if you refresh the page and try to add the embeded code again, you should be able to do it just like you would be embedding a YouTube video. The notification that it will be inserted through a web part should now be gone!