Expand Minimize

Don't load Web Parts from unapproved locations

Web Part is loaded from a location that hasn't been approved

CheckId SPF020701
TypeName LoadWebPartFromApprovedLocation
Severity CriticalError
Type Web Part Manifest

SharePoint Framework client-side web parts consist of two pieces: the code, hosted in a location accessible through HTTP, and the manifest that defines web part properties and contains the URL of the location where the web part code is hosted.

SharePoint doesn't imply any requirements with regards to where the web part code is hosted. As long as the URL is accessible by users logged in to SharePoint, the web part will work.

SharePoint Framework client-side web parts run under the context of the current user. Whatever the current user is allowed to do, the web part can do too. Due to this high-trust character of SharePoint Framework client-side web parts they can only be installed by Tenant Administrators. Because the web part's code isn't a part of the web part package installed in SharePoint, it's essential that organizations can verify the integrity of the web part code and can control when and by whom web part's code may be updated. To enforce this policy, web parts' code should be deployed exclusively to locations that are either managed by or approved by the organization.

Name Description
ApprovedSourceLocations ;-separated list of approved locations from which Web Parts and Applications can be loaded. Script reference must start with one of these paths. For example: https://cdn.contoso.com/
Disclaimer: The views and opinions expressed in this documentation and in SPCAF do not necessarily reflect the opinions and recommendations of Microsoft or any member of Microsoft. SPCAF and RENCORE are registered trademarks of Rencore. All other trademarks, service marks, collective marks, copyrights, registered names, and marks used or cited by this documentation are the property of their respective owners.