SPFx CDN URLs not consistently added to Trusted Script Sources (CSP)

Hi everyone,

We’re currently investigating an issue related to SharePoint Online Content Security Policy (CSP) and Trusted Script Sources (TSS) for SPFx solutions.

[SharePoint Online] [SPFx] [CSP]

Scenario

• We deployed multiple SPFx .sppkg packages via App Catalog
• These solutions load scripts from an external CDN (cdnBasePath, with includeClientSideAssets: false)

Expected Behavior

• As per documentation, CDN URLs used by SPFx solutions should be available/registered in Trusted Script Sources so that scripts can load under CSP enforcement

Observed Behavior

• Only some CDN URLs (from certain packages) appear in Trusted Script Sources
• Others are missing, even though they are similarly configured and deployed
• Due to this, scripts from those missing sources are blocked by CSP, and the extension fails to load

Additional Notes

• No use of eval() or inline scripts in our code
• Re-deploying packages sometimes resolves the issue (CDN URLs get registered afterward)
• Behavior appears inconsistent across environments

Question
Has anyone encountered a similar issue where:

• Trusted Script Sources were partially auto-populated from App Catalog deployments?
• CDN URLs from some SPFx packages were not registered automatically?

Any insights on:

• Root cause
• Known limitations
• Best practices to ensure consistent registration

would be really helpful.

Thanks in advance!