How to block webparts from noscript sites
Keeping scriptable webparts off of NoScript sites
As you may be aware, some sites are marked as not safe for scripting ('noscript', although technically it is a deny-ACL on Add/Customize Page). If you create a webpart that allows for an author to write script, it's a good idea to not allow that webpart on that kind of site.
Here's how to ensure that your new webpart can't be used on a noscript site.
- After building your .sppkg file, you'll want to open it up (it's just a zip file)
- Inside the zip, you'll find your webpart.xml files (something like 021b60f8-e564-46cc-9b3a-9fe4c9ecccd3\WebPart_021b60f8-e564-46cc-9b3a-9fe4c9ecccd3.xml)
- Find the xml node titled "ClientSideComponent"
- Add an attribute at the end of the node ReturnIfCustomScriptDisabled="false"
- save the change in the zip file
Also worth pointing out - the package has the property, but it gets promoted to a field in the component manifest list that an admin can set explicitly after the fact.
The server component for this is done and has rolled out. We were waiting for the build pieces to be done before discussing this, but with some sample parts being released that do this, it's a good idea to have the manual workaround documented first. We'll have this in the build tools soon.