Try ShortPoint now

How can we help you today?

Details

Managing Trusted Script Sources for JavaScript Customizations in ShortPoint

Modified on: Mon, 9 Feb, 2026 at 2:41 PM

As part of SharePoint Online’s commitment to a secure modern environment, Microsoft utilizes a Content Security Policy (CSP) to manage how external scripts are executed on your pages. If you are adding custom JavaScript via the ShortPoint Theme Builder, you may see a warning regarding "external sources."


Theme Builder warning about loading external sources


This guide explains the standard procedure for authorizing these sources to ensure your custom scripts and integrations function correctly within the SharePoint security framework.

TABLE OF CONTENTS

Prerequisites

  • You have ShortPoint installed within your SharePoint environment.
  • You will need Global Admin or SharePoint Admin permissions to modify security policies. If you do not have administrative rights, please forward this guide to your IT department or SharePoint Administrator so they can perform the changes for you.

Why am I seeing this warning?

To protect your environment from unauthorized code execution, SharePoint’s security rules require that any external domain providing a script must be explicitly "trusted" by a SharePoint Administrator.

When you add JavaScript in the Theme Builder that references an external URL, such as a third-party analytics tool, a custom font library, or an external API, ShortPoint alerts you to ensure that the source domain is added to your tenant's allowed list. Without this step, the browser will block the script to remain compliant with the tenant's security policy.

Interactive Tutorial

You can go through this interactive tutorial to learn how to add and remove a source domain to your Trusted Script Sources. You can also view the steps in detail in the next section.


How to Add Trusted Source URLs

To ensure your custom scripts load correctly, follow these steps to add the source domain to the Trusted Script Sources page in the SharePoint Admin Center.

Step 1: Access the Trusted Script Sources Page

  • Navigate to your SharePoint Admin Center.
  • In the left-hand navigation, expand the Advanced section.
  • Open Script sources.

Go to the SharePoint Admin Center and open Script sources

Step 2: Add Your External Domain

  • Click + Add source.

  • In the Source expression field, enter the base URL of the script you are using. Note that you only need the domain, not the full path to the specific .js file.

    For example, if you want your page to load JavaScript from https://app3.weatherwidget.org/js/?id=ww_306ac85834cbd, you only need to add the domain https://app3.weatherwidget.org to your trusted sources list.

  • Click Add.

Enter external code domain and click Add

Step 3: Verify the Changes

Once saved, the domain will appear in your list of trusted sources. It may take a few minutes for the change to apply across your SharePoint tenant.

With the source now successfully authorized, you can return to the ShortPoint Theme Builder and finalize your JavaScript code. Your custom scripts will now execute correctly, and the warning will no longer prevent your integrations from functioning exactly as designed.

domain is added to the trusted sources list

How to Remove a Trusted Source

To maintain a high security posture, your SharePoint Trusted Script Sources list should only include domains that you currently use. If you have removed custom JavaScript from the Theme Builder, you should also revoke trust for that domain in SharePoint.

Step-by-step guide

Follow these steps to revoke trust for a domain in the SharePoint Admin Center:

  • Navigate to the Trusted Script Sources page: Go to SharePoint Admin Center > Advanced > Script sources > Trusted script sources.
  • Locate the Domain: Scroll through the list or use the search bar to find the domain you wish to remove.
  • Delete the Entry: Select the domain name and click Remove at the top of the list.
  • Confirm Removal: A dialog will appear. Confirm that you want to remove the source by clicking Delete.

Select domain, click Remove and hit Delete

What happens after a source is removed?

Immediately after removal, SharePoint’s Content Security Policy will no longer recognize that domain as an authorized script provider. Any ShortPoint customizations in Theme Builder Utilities that rely on scripts from that domain will be blocked by the browser.

Important: 
Before removing a source, ensure you have also removed the corresponding JavaScript code from your Theme Builder to avoid console errors and broken functionality on your live site.


Related articles:

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.

Visit our dedicated courses on ShortPoint Academy

Click Here!

World's best intranet sites are designed using ShortPoint

Get started today! Learn more

Visit our dedicated courses on ShortPoint Academy

Click Here!
See all 9 topics

Start a trial

Ignite your vision. Install ShortPoint directly on your site, or play in sandbox mode. No credit card required.

Get started today

World’s best intranet sites are designed using ShortPoint

Thousands of companies using ShortPoint everyday to design, brand and build award winning intranet sites.

Get started Learn more