Content Security Policies (CSP) are coming to SharePoint Online and might impact your custom SPFx solutions [MC1193419]

Message ID: MC1193419

We’re improving SharePoint Online security via Content Security Policy (CSP) enforcement. Currently CSP is applied in reporting mode but as of March 1, 2026, the Content Security Policy will be enforced which will prevent the loading of script (e.g. JavaScript) from non-allowed sources. This message center post replaces MC1055557 (April 2024).

This change is associated with Microsoft 365 Roadmap ID: 485797

[When this will happen:]

This will be implemented starting March 1, 2026.

[How this will affect your organization:]

If your organization extended SharePoint Online using SPFx then the created custom SPFx solutions could potentially load scripts from locations which are not allowed. In most cases SPFx solutions use and load script from allowed locations, but that’s not always the case. Any script from a not allowed location will be blocked, the same applies for any inline script usage. SPFx solutions whose script is getting blocked will not function anymore as designed, impacting business scenarios depending on those solutions.

To prevent solutions from breaking there you need to:

1. Ensure all used script locations are trusted script sources. This can be done without updating the SPFx solution
2. Move all inline script to script files which can then be defined as trusted source. This will require updating the SPFx solution!

If you need more time to review your SPFx solutions, there’s an option to postpone CSP enforcement by 90 days via below SPO Management Shell PowerShell cmdlet.

Set-SPOTenant -DelayContentSecurityPolicyEnforcement $true

Note:

This option will be available in the SPO Management Shell version 16.0.26712.12000 (November 2025) or higher.

[What you need to do to prepare:]

In addition to the default CSP settings, SharePoint Online will add locations listed in the Trusted Script Sources area of the SharePoint Online Admin Center as valid locations for CSP, thus enabling script loading from those locations. To add an entry, in a browser, go to the Trusted Script Sources via SharePoint Online Admin Center > Advanced > Script sources.

To understand which script location to add there are two options. First option is testing your SPFx solutions with the browser dev tools console open. As CSP is in reporting mode until March 1, 2026, there will be messages indicating script that will be blocked once CSP is enforced. These messages start with “Loading the script ‘<path to script>’ violates the following…” or “Executing inline script violates the following Content Security Policy directive…”.

Whenever the browser logs a CSP violation, that violation is also logged to Microsoft Purview. In the browser, navigate to the Audit solution in Microsoft Purview from the Microsoft 365 Admin Center. From the Search page, search for the Activity – friendly names value Violated Content Security Policy, or the Activity – operation names value ViolatedContentSecurityPolicy:

Selecting a search result opens the side panel with the audit details. Take note of the following properties:

• DocumentUrl: This indicates the page in the SharePoint Online site where the CSP violation occurred.
• BlockedUrl: This indicates the URL of the script that violated the CSP configuration or contains “inline” when the violation came from loading inline script

Important

In the case of inline script, the remediation requires updating the SPFx solution by moving inline script into a separate script file, which then can be added as a trusted source.

Learn more: Support for Content Security Policy (CSP) in SharePoint Online 

Source: Microsoft

Latest Posts