Content control should have administrative configuration to restrict what domains are allowed to embed content from
Currently the SmartForms content control can embed content from any domain/site instead of allowing an administrator to restrict it to certain sites/domain that are known to be safe.
The idea is to allow an environment administrator to add restrictions for the content control similar to what SharePoint does:
Options that should be available:
Allow Any Domain
Restrict to whitelist of domains
Automatically includes all domains associated with smartForms
Do not allow content injection (Not essential)
Prevents the control from being used on new forms/views
Configuration must be available through management site so that platform admins can control these restrictions, and the settings.
At runtime, when a content control tries to load content from a site, it first checks if it adheres to the restrictions applied and throws an appropriate error if it does not.