允许自定义脚本的安全注意事项Security considerations of allowing custom script

通过插入脚本允许用户在 SharePoint 中自定义网站和页面,可以让他们灵活地满足组织的不同需求。Allowing users to customize sites and pages in SharePoint by inserting script can give them the flexibility to address different needs in your organization. 但是,您应了解自定义脚本的安全含义。However, you should be aware of the security implications of custom script.

允许用户运行自定义脚本时,您无法再强制实施管理、限制插入代码的功能范围、阻止特定代码部分或阻止已部署的所有自定义代码。When you allow users to run custom script, you can no longer enforce governance, scope the capabilities of inserted code, block specific parts of code, or block all custom code that has been deployed. 我们建议使用 SharePoint 框架,而不是允许自定义脚本。Instead of allowing custom script, we recommend using the SharePoint Framework. 有关详细信息,请参阅 自定义脚本的替代方法For more info, see An alternative to custom script.

自定义脚本可以执行哪些操作What custom script can do

在 SharePoint 页面中运行的每一个脚本 (无论它是文档库中的 HTML 页面还是脚本编辑器中的 JavaScript Web 部件) 始终在访问页面和 SharePoint 应用程序的用户上下文中运行。Every script that runs in a SharePoint page (whether it's an HTML page in a document library or a JavaScript in a Script Editor Web Part) always runs in the context of the user visiting the page and the SharePoint application. 这意味着:This means:

  • 脚本可以访问用户有权访问的所有内容。Scripts have access to everything the user has access to.

  • 脚本可以跨多个 Microsoft 365 服务访问内容,甚至通过 Microsoft Graph 集成访问内容。Scripts can access content across several Microsoft 365 services and even beyond with Microsoft Graph integration.

无法审核脚本插入You can't audit the insertion of script

作为全局管理员、安全管理员或 SharePoint 管理员,您可以允许或阻止整个组织或特定网站集的自定义脚本功能。As a global admin, security admin, or SharePoint admin, you can allow or block custom script capabilities for the whole organization or for specific site collections. (若要了解如何执行此操作,请参阅"允许或阻止自定义 脚本"。) 但是,一旦允许编写脚本,就无法识别:(For info on how to do this, see Allow or prevent custom script.) However, once you allow scripting, you can't identify:

  • 插入的代码What code has been inserted

  • 代码的插入位置Where the code has been inserted

  • 插入代码的人Who inserted the code

任何具有"设计和完全控制"权限级别) 的"添加和自定义页面"权限的 (用户都可以插入可能对组织中所有用户和资源产生强大影响的代码。Any user who has "Add and Customize Pages" permission (part of the Design and Full Control permission levels) to any page or document library can insert code that can potentially have a powerful effect on all users and resources in the organization.

该脚本可以访问多个页面或网站,它可以访问组织中所有网站集和其他 Microsoft 365 服务中的内容。The script has access to more than just the page or site - it can access content across all site collections and other Microsoft 365 services in the organization. 执行脚本没有边界。There are no boundaries for executing script. 有关可以审核的网站活动的信息,请参阅配置 网站集的审核设置For info about site activity you can audit, see Configure audit settings for a site collection.

无法阻止或删除插入的脚本You can't block or remove inserted script

如果已允许自定义脚本,您可以更改设置以稍后阻止用户添加自定义脚本,但无法阻止执行已插入的脚本。If you've allowed custom script, you can change the setting to later prevent users from adding custom script, but you can't block the execution of script that has already been inserted. 如果插入危险或恶意脚本,唯一可以阻止的就是删除承载该脚本的页面。If dangerous or malicious script is inserted, the only way you can stop it is to delete the page that hosts it. 这可能会导致数据丢失。This might result in data loss.

自定义脚本的替代方法An alternative to custom script

SharePoint 框架是一个页面和 Web 部件模型,提供一种受管理且完全支持的方法,以使用脚本技术生成解决方案,并支持开放源代码工具。The SharePoint Framework is a page and web part model that provides a governed and fully supported way to build solutions using scripting technologies with support for open-source tooling. SharePoint 框架的主要功能:Key features of the SharePoint Framework:

  • 框架在当前用户和浏览器中的连接上下文中运行。The framework runs in the context of the current user and connection in the browser. 它不使用 iFrame。It doesn't use iFrames.

  • 这些控件在 DOM 对象的普通页面文档对象 (中) 。The controls are rendered in the normal page Document Object Model (DOM).

  • 控件具有响应性和辅助性。The controls are responsive and accessible.

  • 开发人员可以访问生命周期。Developers can access the lifecycle. 为了呈现,他们可以访问负载、序列化、反序列化、配置更改等。Also to render, they can access load, serialize and deserialize, configuration changes, and more.

  • 可以使用喜欢的任何浏览器框架:React、Handlebars、Knockout、AngularJS 等。You can use any browser framework you like: React, Handlebars, Knockout, AngularJS, and more.

  • 工具链基于常见的开源客户端开发工具,如 npm、TypeScript、Yeoman、Web 包和 gulp。The toolchain is based on common open source client development tools like npm, TypeScript, Yeoman, web pack, and gulp.

  • 管理员具有可立即禁用解决方案的管理工具,无论已使用的实例数以及已使用解决方案的页面或网站数如何。Admins have governance tools to immediately disable solutions regardless of the number of instances that have been used and the number of pages or sites across which they've been used.

  • 解决方案可以在使用经典体验或新体验的 Web 部件和页面中部署。Solutions can be deployed in web parts and pages that use the classic experience or the new experience.

  • 只有全局管理员、SharePoint 管理员和已授予应用程序目录管理权限的用户才能添加解决方案。Only global admins, SharePoint admins, and people who have been given permission to manage the App Catalog can add solutions. 有关授予用户管理应用程序目录的权限的信息,请参阅请求 应用安装权限For info about giving users permission to manage the app catalog, see Request app installation permissions.