SharePoint Online Content Security Policy (CSP): Enforcement Dates and Guidance

Microsoft

Nov 25, 2025

Content Security Policy (CSP) is a critical browser security feature designed to protect web applications from threats like cross-site scripting (XSS), clickjacking, and other code injection attacks. CSP allows site owners to specify which resources (scripts, styles, images, etc.) a page can load, reducing the risk of malicious code execution.

SharePoint Online is rolling out CSP enforcement for all tenants starting March 1, 2026. Until then, CSP is in "report-only" mode - no scripts are blocked yet, but violations are logged. This change will have a direct impact on your SharePoint Framework (SPFx) solutions, especially those that load scripts from external sources or use inline scripts.

Key Dates:

Now–Feb 29, 2026: CSP in report-only mode (no blocking, only logging)
March 1, 2026: CSP enforcement begins (blocking non-compliant scripts)
Optional: Delay enforcement by 90 days (until June 1, 2026) using PowerShell

How CSP Works in SharePoint Online

When a page loads, the browser checks every script request against the CSP rules set by SharePoint Online. If a script’s source is not explicitly allowed, the browser blocks it and logs a violation. This applies to both external scripts and inline scripts (JavaScript embedded directly in HTML or event handlers).

Learn more: Content Security Policy (CSP) - Mozilla.

Impact on SPFx Solutions

Default Behavior

By default, SPFx solutions package their JavaScript bundles inside the *.sppkg file. When deployed, these assets are hosted in the site’s ClientSideAssets library, which is trusted by the default SharePoint Online CSP configuration. If you follow this pattern, your solution will continue to work without changes.

Common Script Loading Patterns

However, some developers use alternative patterns for script loading and hosting. Here’s how CSP enforcement will affect each:

External CDN for SPFx Bundles
- Pattern: JavaScript bundles are hosted on a vendor-managed CDN, referenced via cdnBasePath in write-manifests.json.
- CSP Impact: SharePoint Online will automatically add the CDN domain to the Trusted Script Sources list when the app is installed. No manual action is needed if you follow the documented packaging process.

External Libraries via CDN
- Pattern: Libraries are excluded from the bundle and loaded at runtime from a CDN, configured via the externals property in config.json.
- CSP Impact: The CDN domain is added to Trusted Script Sources automatically. Again, no manual action is needed if you follow the guidance.

Dynamic Script Loading (SPComponentLoader)
- Pattern: Scripts are loaded dynamically in code using SPComponentLoader.loadScript().
- CSP Impact: If the script source is not already trusted, you must manually add it to the Trusted Script Sources list in the SharePoint Admin Center.

Inline Scripts
- Pattern: JavaScript is embedded directly in HTML, event handlers, or injected via innerHTML, document.write(), etc.
- CSP Impact: Inline scripts will be blocked. You must refactor your solution to move all inline scripts into external files and register those files as trusted sources.

Preparing for CSP Enforcement

Audit Your Solutions
- Open your SPFx solutions in the browser with Dev Tools (F12) Console open.
- Look for CSP violation messages, such as:
  - Loading the script '<url>' violates the following...
  - Executing inline script violates the following Content Security Policy directive...

Example browser console entries when the custom scripts are not properly listed in the trusted scripts area in the tenant.

- Violations are also logged to Microsoft Purview for audit and compliance tracking. Create a report searching for Activity - friendly names value Violated Content Security Policy to get a list of CSP violations.

Example query settings with the Violated Content Security Policy activity selected.

Update Trusted Script Sources
- Go to SharePoint Admin Center > Advanced > Script sources.
- Add any required external domains as trusted sources.
- Note: Overly permissive wildcard expressions (e.g., *, *.domain) are not allowed. You can add up to 300 entries; use wildcards to consolidate where possible.

Refactor Inline Scripts
- Move all inline scripts into external files.
- Register those files as trusted sources.
- Update your SPFx solutions and redeploy.

Delay Enforcement (If Needed)

If you need more time, you can delay CSP enforcement for your tenant by 90 days (until June 1, 2026) using the SPO Management Shell:

Set-SPOTenant -DelayContentSecurityPolicyEnforcement $true

This option will be available in the SPO Management Shell starting from the end of November 2025 release.

Final Thoughts and Resources

CSP enforcement is a major step forward for SharePoint Online security, but it requires action from developers. Start auditing your solutions now, refactor any inline scripts, and ensure all external script sources are registered as trusted. This will help avoid disruptions when enforcement begins.

10 Comments

Jason Arden
Copper Contributor
Dec 15, 2025
CSP behavior allows 'nonce-' to be inserted - is SP making the nonce variable available for ISVs to utilize in certain scenarios? Can we access the nonce value via JS?
- BertJansen
  Microsoft
  Dec 15, 2025
  Jason Arden : no, we're not making the nonce value available as this would severely impact the security improvements we're pushing by enforcing CSP. You'll have to rewrite code and move inline script into script files.
  - Jason Arden
    Copper Contributor
    Dec 15, 2025
    OK - we are dealing a 3rd party editor within our offering and don't have control over this - will do a bit more research- https://ckeditor.com/docs/ckeditor5/latest/getting-started/setup/csp.html
    I guess we were surprised the team didn't feel this way about - 'unsafe-eval'
    -J
DavidAld
Copper Contributor
Dec 12, 2025
Thanks for the information. I'm using Purview to catch all the external URLs we need to add in the trusted list. However, regarding "inline", I assume we need to worry about the ones with Directive=12 (script-src), right? Because I see several "inline" with Directive=13 (style-src), and ideally they would not be impacted with the enforcement.
- BertJansen
  Microsoft
  Dec 15, 2025
  DavidAld : both directives are relevant, the audit logs show all entries which show up as warnings in the browser's console log today. Once CSP is enforced these warnings will be errors and will impact functionality. In my testing I see 13 being used for inline code constructs, please check Support for Content Security Policy (CSP) in SharePoint Online | Microsoft Learn to see if your code that reports 13 is using any of these constructs.
  - DavidAld
    Copper Contributor
    Dec 15, 2025
    Thanks, i have already checked. What is not clear for me is the fact I'm still seeing logs entries in Purview, despite of adding the different entries in "external script sources" section. For Clarity, I have tried "https://www.clarity.ms/", "https://www.clarity.ms", and other variants, but I still see "https://scripts.clarity.ms/0.8.45/clarity.js" as blocked URL in the logs. I will open a case for that anyway.
ChristophSadleder
Copper Contributor
Nov 27, 2025
Thank you for the information. This is certainly a positive step toward improving security. Can we assume that, as shown in the screenshot and article (https://learn.microsoft.com/en-us/sharepoint/dev/spfx/content-securty-policy-trusted-script-sources), the policy “script-src ‘unsafe-eval’ ...” will remain in place and will not be excluded from the policy?
- BertJansen
  Microsoft
  Dec 10, 2025
  ChristophSadleder : yes, 'script-src' and 'unsafe-eval' will be there. Using eval() in script is allowed by our CSP implementation

Blog Post