← Back
(Updated) Content Security Policies (CSP) are coming to SharePoint Online and might impact your custom SPFx solutions
MC1193419 · build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
True
Last modified
2026-03-13 19:26:48
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
2026-03-01 00:00:00
Services
SharePoint Online
Tags
Updated message, New feature, User impact, Admin impact
Master tags
Admin, Security
Roadmap IDs
485797

One-line summary

SharePoint Online will enforce Content Security Policy from March 1, 2026, blocking scripts from non-trusted sources and requiring remediation for non-compliant SPFx solutions.

Similar updates

More like this
MC1117115 (Updated) Updates to custom scripting in sites and Classic Publishing site creation
(Updated) Updates to custom scripting in sites and Classic Publishing site creation Starting September 15, 2025, custom scripting and new classic publishing sites will be restricted in SharePoint Online; key PowerShell opt-out retires March 15, 2026. ...n[Referenced content] Security considerations of allowing custom script - SharePoint in.
MC1191924 Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection
Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection Microsoft Entra ID sign-in will enforce a stricter Content Security Policy, blocking non-Microsoft scripts and injected code, starting rollout in October 2026 to enhance security against XSS threats. Introduction As part of Microsoft’s .
MC1186368 Microsoft SharePoint: Update to custom scripting governance in App Catalog site
Microsoft SharePoint: Update to custom scripting governance in App Catalog site Custom scripting will be disabled by default on SharePoint Online App Catalog sites starting mid-January 2026 to enhance security; app operations remain unaffected. To strengthen security and reduce the risk of ungoverned scripting, Microsoft is expanding the custom.
MC1184996 (Updated) Legacy SharePoint Online Content Delivery Network (CDN) domain to be retired—review configurations
...cy SharePoint Online Content Delivery Network (CDN) domain to be retired—review configurations SharePoint Online is retiring the legacy publiccdn.sharepointonline.com CDN domain; update any hardcoded references to avoid 404 errors after March 31, 2026[Introduction] As part of ongoing service modernization, Microsoft has migrated the hosting of.
MC693865 (Updated) SharePoint Add-In retirement in Microsoft 365
(Updated) SharePoint Add-In retirement in Microsoft 365 SharePoint Add-Ins will retire and stop working after April 2, 2026; admins must migrate to SharePoint Framework (SPFx) as Add-Ins will become unusable. Updated March 2, 2026: This update serves as a final reminder that SharePoint Add-Ins will retire and stop working 1 month from now (April.
MC1198075 Site attestation policy is now generally available
Site attestation policy is now generally available SharePoint admins can now enable site attestation policies to require site owners to regularly confirm ownership, membership, and sharing settings, with configurable enforcement for non-compliance. [Introduction] Empower your organization with proactive governance. The new site attestation.

Details

RoadmapIds
485797
Summary
Starting March 1, 2026, SharePoint Online will enforce Content Security Policy (CSP), blocking scripts from untrusted sources in custom SPFx solutions. To avoid disruptions, ensure all scripts come from trusted sources and move inline scripts to files. CSP enforcement can be postponed 90 days via PowerShell.
Platforms
Desktop

Body (from Message Center)

Updated March 13, 2026: We have updated the timeline. Thank you for your patience. 

We’re improving SharePoint Online security via Content Security Policy (CSP) enforcement. Currently CSP is applied in reporting mode but as of March 1, 2026, the Content Security Policy will be enforced which will prevent the loading of script (e.g. JavaScript) from non-allowed sources. This message center post replaces MC1055557 (April 2024).

This change is associated with Microsoft 365 Roadmap ID: 485797

[When this will happen:]

This will be implemented starting March 1, 2026 and should complete by March 20, 2026.

[How this will affect your organization:]

If your organization extended SharePoint Online using SPFx then the created custom SPFx solutions could potentially load scripts from locations which are not allowed. In most cases SPFx solutions use and load script from allowed locations, but that’s not always the case. Any script from a not allowed location will be blocked, the same applies for any inline script usage. SPFx solutions whose script is getting blocked will not function anymore as designed, impacting business scenarios depending on those solutions.

To prevent solutions from breaking there you need to:

  1. Ensure all used script locations are trusted script sources. This can be done without updating the SPFx solution
  2. Move all inline script to script files which can then be defined as trusted source. This will require updating the SPFx solution!

If you need more time to review your SPFx solutions, there’s an option to postpone CSP enforcement by 90 days via below SPO Management Shell PowerShell cmdlet.

Set-SPOTenant -DelayContentSecurityPolicyEnforcement $true

Note:

This option will be available in the SPO Management Shell version 16.0.26712.12000 (November 2025) or higher.

[What you need to do to prepare:]

In addition to the default CSP settings, SharePoint Online will add locations listed in the Trusted Script Sources area of the SharePoint Online Admin Center as valid locations for CSP, thus enabling script loading from those locations. To add an entry, in a browser, go to the Trusted Script Sources via SharePoint Online Admin Center > Advanced > Script sources.

To understand which script location to add there are two options. First option is testing your SPFx solutions with the browser dev tools console open. As CSP is in reporting mode until March 1, 2026, there will be messages indicating script that will be blocked once CSP is enforced. These messages start with “Loading the script '<path to script>' violates the following…” or “Executing inline script violates the following Content Security Policy directive…”.

Whenever the browser logs a CSP violation, that violation is also logged to Microsoft Purview. In the browser, navigate to the Audit solution in Microsoft Purview from the Microsoft 365 Admin Center. From the Search page, search for the Activity - friendly names value Violated Content Security Policy, or the Activity - operation names value ViolatedContentSecurityPolicy:

Selecting a search result opens the side panel with the audit details. Take note of the following properties:

  • DocumentUrl: This indicates the page in the SharePoint Online site where the CSP violation occurred.
  • BlockedUrl: This indicates the URL of the script that violated the CSP configuration or contains “inline” when the violation came from loading inline script

Important

In the case of inline script, the remediation requires updating the SPFx solution by moving inline script into a separate script file, which then can be added as a trusted source.

Learn more: Support for Content Security Policy (CSP) in SharePoint Online 

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": "2026-03-01T00:00:00Z",
    "ai_actions": [
      "Review SPFx custom solutions for script source compliance",
      "Add trusted script sources in SharePoint Online Admin Center",
      "Move inline scripts to trusted script files",
      "Test in reporting mode for CSP violations",
      "Optionally postpone enforcement via PowerShell"
    ],
    "ai_master_tags": [
      "Admin",
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "SharePoint Online will enforce Content Security Policy from March 1, 2026, blocking scripts from non-trusted sources and requiring remediation for non-compliant SPFx solutions.",
    "ai_topics": [
      "SharePoint"
    ],
    "category": "planForChange",
    "details_map": {
      "Platforms": "Desktop",
      "RoadmapIds": "485797",
      "Summary": "Starting March 1, 2026, SharePoint Online will enforce Content Security Policy (CSP), blocking scripts from untrusted sources in custom SPFx solutions. To avoid disruptions, ensure all scripts come from trusted sources and move inline scripts to files. CSP enforcement can be postponed 90 days via PowerShell."
    },
    "id": "MC1193419",
    "importance": 5,
    "is_major_change": true,
    "last_modified": "2026-03-13T19:26:48Z",
    "ms_products": [
      "SharePoint"
    ],
    "platforms": "Desktop",
    "roadmap_ids": [
      "485797"
    ],
    "services": [
      "SharePoint Online"
    ],
    "severity": "normal",
    "tags": [
      "Updated message",
      "New feature",
      "User impact",
      "Admin impact"
    ],
    "title": "(Updated) Content Security Policies (CSP) are coming to SharePoint Online and might impact your custom SPFx solutions"
  }
}