SPF029902: Don't load Web Parts from unapproved locations |
Web Part is loaded from a location that hasn't been approved
| CheckId | SPF029902 |
|---|---|
| TypeName | LoadWebPartFromApprovedLocation |
| Severity | CriticalError |
| Type | Web Part Manifest |
SharePoint Framework client-side web parts consist of two pieces: the code, hosted in a location accessible through HTTP, and the manifest that defines web part properties and contains the URL of the location where the web part code is hosted.
SharePoint doesn't imply any requirements with regards to where the web part code is hosted. As long as the URL is accessible by users logged in to SharePoint, the web part will work.
SharePoint Framework client-side web parts run under the context of the current user. Whatever the current user is allowed to do, the web part can do too. Due to this high-trust character of SharePoint Framework client-side web parts they can only be installed by Tenant Administrators. Because the web part's code isn't a part of the web part package installed in SharePoint, it's essential that organizations can verify the integrity of the web part code and can control when and by whom web part's code may be updated. To enforce this policy, web parts' code should be deployed exclusively to locations that are either managed by or approved by the organization.
| Name | Description |
|---|---|
| ApprovedSourceLocations | ;-separated list of approved locations from which Web Parts and Applications can be loaded. Script reference must start with one of these paths. For example: https://cdn.contoso.com/ |