To reduce the risk of embedded content being pulled in from unknown sites, Microsoft Office 365 sets a default list of sites and domains that are recognized as safe. The list is found in the HTML Field Security setting for the site collection.
If you have tried embedding external content on a modern page by using the Content Embed web part, you may have seen the "Embedding content from this website isn't allowed" error message. This error is displayed when you try to embed content from a website that isn’t in the list of sites and domains found in the HTML Field Security setting for the site collection.
To improve the content embedding experience, we are updating the default list of domains to include additional, frequently used websites from Microsoft and Google services. The sites that we're adding include the following:
- videoplayercdn.osi.office.net (for videos from support.office.com)
This update will occur only for site collections where the HTML Field Security setting uses the default list of sites. (That is, the HTML Field Security setting has not been changed.) Therefore, if you are using the default settings, you will obtain the update automatically.
If you don't want the update, you can change the HTML Field Security setting beforehand to your own custom list. Or, if you have already changed the HTML Field Security settings, but you want to add the sites that are in the update, you can manually change the HTML Field setting to include these sites.
To manually change the HTML Field Security setting per site collection, see Allow or restrict the ability to embed content on SharePoint pages.
Article ID: 4018429 - Last Review: Mar 31, 2017 - Revision: 8