High-privileged users can embed active content in SharePoint sites. This article describes techniques that SharePoint administrators can use to restrict active content.
The risk of active content
The same-origin policy allows active content to interact with other web endpoints on the same domain as the current page. For example, active content on http://contoso.com/page1.aspx can access http://contoso.com/page2.aspx, but it cannot access http://fabrikam.com/page3.aspx.
SharePoint allows high-privileged users to add and modify active content which runs in the context of the site. A malicious user may add active content which interacts with other SharePoint pages to perform undesirable actions without the victim’s consent.
Controlling active content with permissions
In SharePoint 2013, the Add and Customize Pages permission controls the ability to add or modify active content:
- The Read, Contribute, and Edit permission levels do not include the Add and Customize Pages permission level. These users cannot add or modify active content.
- The Design and Full Control permission levels do include the Add and Customize Pages permission. These users can add or modify active content.
- Site Collection Administrators are implicitly granted the Add and Customize Pages permission.
Only highly-trusted users should be granted permission levels which enable them to add active content.
Controlling active content at the site collection level
SharePoint administrators may wish to prevent all users on a given site collection from adding active content. In SharePoint 2013, the site collection DenyPermissionsMask property can be used to deny certain permissions from all users, including Site Collection Administrators.
Here’s how to apply a DenyPermissionsMask using the SharePoint 2013 Management Shell:
$site = Get-SPSite http://contoso/sites/restricted
$site.DenyPermissionsMask = ($site.DenyPermissionsMask -bor [Microsoft.SharePoint.SPBasePermissions]::AddAndCustomizePages)
Controlling active content at the web application level
SharePoint administrators may wish to restrict the use of active content across an entire web application. For example, each user is a Site Collection Administrator on their own My Site and it would be unrealistic for the SharePoint administrator to manually set the DenyPermissionsMask each time a new My Site is provisioned.
Web application policy can be used to deny the Add and Customize Pages permission for all users in a given web application. Here’s how to apply this policy using the SharePoint 2013 Management Shell:
$w = Get-SPWebApplication http://contoso-my
$p = $w.PolicyRoles.Add("NoActiveContent", "Denies active content")
$p.DenyRightsMask = [Microsoft.SharePoint.SPBasePermissions]::AddAndCustomizePages
Controlling active content using domain isolation
Some SharePoint deployments are configured to allow My Sites or Self-Service Site Creation, which allows users to provision a site collection where they are granted Site Collection Administrator privileges.
If you choose to allow users to embed active content in these sites, consider hosting them on a web application that uses a different domain name than other trusted content. The same-origin policy will prevent untrusted active content on these sites from interacting with trusted content on other domains.
Administrators have four means of controlling active content in SharePoint 2013:
- Grant an appropriate permission level which prevents users from working with active content
- Disable the Add and Customize Pages permission on a site collection
- Disable the Add and Customize Pages permission on a web application
- Isolate active content to a separate domain
These techniques allow a SharePoint administrator to mitigate the impact of untrusted active content.