← Back
Content Security Policies (CSP) are coming to SharePoint Online and might impact your custom SPFx solutions
MC1193419 · build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
True
Last modified
2025-12-09 00:19:28
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
2026-03-01 00:00:00
Services
SharePoint Online
Tags
New feature, User impact, Admin impact
Master tags
Security
Roadmap IDs
485797

One-line summary

SharePoint Online will enforce Content Security Policy from March 1, 2026, blocking scripts from untrusted sources and requiring admins to update SPFx solutions as needed.

Similar updates

More like this
MC1117115 (Updated) Updates to custom scripting in sites and Classic Publishing site creation
...es to custom scripting in sites and Classic Publishing site creation SharePoint Online will disable custom scripting and block new classic publishing site creation/features starting September 15, 2025; admins can temporarily opt out until March 15, 2026[Referenced content] Security considerations of allowing custom script - SharePoint in.
MC1191924 Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection
Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection Microsoft Entra sign-in pages will enforce a stricter Content Security Policy in October 2026, blocking non-Microsoft scripts and injected code to enhance protection against XSS threats. Introduction As part of Microsoft’s Secure Future.
MC1186368 Microsoft SharePoint: Update to custom scripting governance in App Catalog site
Microsoft SharePoint: Update to custom scripting governance in App Catalog site Custom scripting will be disabled by default on SharePoint Online App Catalog sites starting mid-January 2026 to enhance security; app operations remain unaffected. To strengthen security and reduce the risk of ungoverned scripting, Microsoft is expanding the custom.
MC1184996 Legacy SharePoint Online Content Delivery Network (CDN) domain to be retired—review configurations
...work (CDN) domain to be retired—review configurations SharePoint Online will retire the legacy CDN domain publiccdn.sharepointonline.com; update all references to the new domain public-cdn.sharepointonline.com before March 31, 2026 to avoid 404 errors[Introduction] As part of ongoing service modernization, Microsoft has migrated the hosting of.
MC693865 (Updated) SharePoint Add-In retirement in Microsoft 365
(Updated) SharePoint Add-In retirement in Microsoft 365 SharePoint Add-Ins will retire and stop working on April 2, 2026; migrate customizations to SharePoint Framework (SPFx) and notify users and developers. Since the release of SharePoint Add-Ins in 2013, Microsoft has evolved SharePoint extensibility using SharePoint Framework (SPFx).
MC693863 (Updated) Azure ACS retirement in Microsoft 365
(Updated) Azure ACS retirement in Microsoft 365 Azure ACS will retire for SharePoint Online on April 2, 2026; update custom apps and integrations to use Microsoft Entra ID to maintain access. Updated October 3, 2025: This update serves as a reminder that Azure ACS in Microsoft 365 will retire and stop working in 6 months from now (April 2, 2026)..

Details

RoadmapIds
485797
Summary
Starting March 1, 2026, SharePoint Online will enforce Content Security Policy (CSP), blocking scripts from non-trusted sources in custom SPFx solutions. To avoid disruption, ensure all scripts come from trusted sources and move inline scripts to files. CSP enforcement can be postponed 90 days via PowerShell.
Platforms
Desktop

Body (from Message Center)

We’re improving SharePoint Online security via Content Security Policy (CSP) enforcement. Currently CSP is applied in reporting mode but as of March 1, 2026, the Content Security Policy will be enforced which will prevent the loading of script (e.g. JavaScript) from non-allowed sources. This message center post replaces MC1055557 (April 2024).

This change is associated with Microsoft 365 Roadmap ID: 485797

[When this will happen:]

This will be implemented starting March 1, 2026.

[How this will affect your organization:]

If your organization extended SharePoint Online using SPFx then the created custom SPFx solutions could potentially load scripts from locations which are not allowed. In most cases SPFx solutions use and load script from allowed locations, but that’s not always the case. Any script from a not allowed location will be blocked, the same applies for any inline script usage. SPFx solutions whose script is getting blocked will not function anymore as designed, impacting business scenarios depending on those solutions.

To prevent solutions from breaking there you need to:

  1. Ensure all used script locations are trusted script sources. This can be done without updating the SPFx solution
  2. Move all inline script to script files which can then be defined as trusted source. This will require updating the SPFx solution!

If you need more time to review your SPFx solutions, there’s an option to postpone CSP enforcement by 90 days via below SPO Management Shell PowerShell cmdlet.

Set-SPOTenant -DelayContentSecurityPolicyEnforcement $true

Note:

This option will be available in the SPO Management Shell version 16.0.26712.12000 (November 2025) or higher.

[What you need to do to prepare:]

In addition to the default CSP settings, SharePoint Online will add locations listed in the Trusted Script Sources area of the SharePoint Online Admin Center as valid locations for CSP, thus enabling script loading from those locations. To add an entry, in a browser, go to the Trusted Script Sources via SharePoint Online Admin Center > Advanced > Script sources.

To understand which script location to add there are two options. First option is testing your SPFx solutions with the browser dev tools console open. As CSP is in reporting mode until March 1, 2026, there will be messages indicating script that will be blocked once CSP is enforced. These messages start with “Loading the script '<path to script>' violates the following…” or “Executing inline script violates the following Content Security Policy directive…”.

Whenever the browser logs a CSP violation, that violation is also logged to Microsoft Purview. In the browser, navigate to the Audit solution in Microsoft Purview from the Microsoft 365 Admin Center. From the Search page, search for the Activity - friendly names value Violated Content Security Policy, or the Activity - operation names value ViolatedContentSecurityPolicy:

Selecting a search result opens the side panel with the audit details. Take note of the following properties:

  • DocumentUrl: This indicates the page in the SharePoint Online site where the CSP violation occurred.
  • BlockedUrl: This indicates the URL of the script that violated the CSP configuration or contains “inline” when the violation came from loading inline script

Important

In the case of inline script, the remediation requires updating the SPFx solution by moving inline script into a separate script file, which then can be added as a trusted source.

Learn more: Support for Content Security Policy (CSP) in SharePoint Online 

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": "2026-03-01T00:00:00Z",
    "ai_actions": [
      "Review and update SPFx solutions to use only trusted script sources",
      "Move inline scripts to external files and add as trusted sources",
      "Test SPFx solutions for CSP violations using browser dev tools",
      "Monitor CSP violations in Microsoft Purview audit logs",
      "Add trusted script sources in SharePoint Online Admin Center"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "SharePoint Online will enforce Content Security Policy from March 1, 2026, blocking scripts from untrusted sources and requiring admins to update SPFx solutions as needed.",
    "ai_topics": [
      "SharePoint"
    ],
    "category": "planForChange",
    "details_map": {
      "Platforms": "Desktop",
      "RoadmapIds": "485797",
      "Summary": "Starting March 1, 2026, SharePoint Online will enforce Content Security Policy (CSP), blocking scripts from non-trusted sources in custom SPFx solutions. To avoid disruption, ensure all scripts come from trusted sources and move inline scripts to files. CSP enforcement can be postponed 90 days via PowerShell."
    },
    "id": "MC1193419",
    "importance": 5,
    "is_major_change": true,
    "last_modified": "2025-12-09T00:19:28Z",
    "ms_products": [
      "SharePoint"
    ],
    "platforms": "Desktop",
    "roadmap_ids": [
      "485797"
    ],
    "services": [
      "SharePoint Online"
    ],
    "severity": "normal",
    "tags": [
      "New feature",
      "User impact",
      "Admin impact"
    ],
    "title": "Content Security Policies (CSP) are coming to SharePoint Online and might impact your custom SPFx solutions"
  }
}