MC1193419 – Content Security Policies (CSP) are coming to SharePoint Online and might impact your custom SPFx solutions

Product:

Microsoft 365 admin center, Purview, Purview Communication Compliance, SharePoint

Platform:

Online, US Instances, Windows Desktop, World tenant

Status:

In development

Change type:

New feature, User impact, Admin impact

Links:

MC1055557
485797

Details:

Summary:
Starting March 1, 2026, SharePoint Online will enforce Content Security Policy (CSP), blocking scripts from non-trusted sources in custom SPFx solutions. To avoid disruption, ensure all scripts come from trusted sources and move inline scripts to files. CSP enforcement can be postponed 90 days via PowerShell.

Details:
We're improving SharePoint Online security via Content Security Policy (CSP) enforcement. Currently CSP is applied in reporting mode but as of March 1, 2026, the Content Security Policy will be enforced which will prevent the loading of script (e.g. JavaScript) from non-allowed sources. This message center post replaces MC1055557 (April 2024).
This change is associated with Microsoft 365 Roadmap ID: 485797
[When this will happen:]
This will be implemented starting March 1, 2026.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:
General Availability, Targeted Release

Created:
2025-12-09

updated:
2025-12-09

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

linked item details

XXXXXXX ... free basic plan only

Pictures

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

CSP Enforcement Impact on SPFx Solutions
Custom SPFx solutions may fail to load scripts from non-trusted sources, leading to functionality loss.
   - roles: SharePoint Developer, IT Administrator
   - references: https://aka.ms/spfx/csp, https://www.microsoft.com/microsoft-365/roadmap?id=485797

User Experience Degradation
Users may experience broken functionalities in SharePoint Online due to blocked scripts, impacting productivity.
   - roles: End User, Business Analyst
   - references: https://aka.ms/spfx/csp, https://purview.microsoft.com/ " target="_blank" rel="nofollow noopener noreferrer">https://purview.microsoft.com/

Inline Script Migration Requirement
Organizations will need to update SPFx solutions to move inline scripts to external files, requiring development resources.
   - roles: SharePoint Developer, Project Manager
   - references: https://aka.ms/spfx/csp, https://www.microsoft.com/microsoft-365/roadmap?id=485797

Delay in CSP Enforcement
Failure to postpone CSP enforcement may lead to immediate disruptions, necessitating urgent fixes.
   - roles: IT Administrator, Compliance Officer
   - references: https://aka.ms/spfx/csp, https://www.microsoft.com/microsoft-365/roadmap?id=485797

Audit and Monitoring Challenges
Increased need for monitoring CSP violations may overwhelm IT teams, leading to potential oversight.
   - roles: IT Administrator, Security Analyst
   - references: https://purview.microsoft.com/, https://www.microsoft.com/microsoft-365/roadmap?id=485797

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhanced Security and Compliance Monitoring
Implementing CSP will enhance security by ensuring that only trusted scripts are executed, thus reducing the risk of malicious code execution. This will also improve compliance with data protection regulations as it provides better control over what scripts are allowed to run.
   - next-steps: Conduct a security audit of existing SPFx solutions to identify non-trusted script sources and implement necessary changes to comply with CSP.
   - roles: Security Officers, Compliance Managers, IT Administrators
   - references: https://aka.ms/spfx/csp" target="_blank" rel="nofollow noopener noreferrer">https://aka.ms/spfx/csp, https://www.microsoft.com/microsoft-365/roadmap?id=485797 " target="_blank" rel="nofollow noopener noreferrer">https://www.microsoft.com/microsoft-365/roadmap?id=485797

Improved User Experience through Performance Optimization
By enforcing CSP, the loading of scripts from non-trusted sources will be eliminated, potentially improving page load times and overall user experience. Users will benefit from a more reliable and faster SharePoint environment.
   - next-steps: Analyze current script usage in SPFx solutions and optimize or remove any non-essential scripts that may be slowing down performance.
   - roles: User Experience Designers, IT Administrators, Business Analysts
   - references: https://aka.ms/spfx/csp" target="_blank" rel="nofollow noopener noreferrer">https://aka.ms/spfx/csp, https://purview.microsoft.com/

Streamlined IT Administrative Processes
The ability to manage and monitor script sources through the SharePoint Online Admin Center will streamline administrative tasks, allowing for easier identification and remediation of CSP violations, thus reducing the workload on IT teams.
   - next-steps: Train IT staff on the new CSP management features and establish a regular review process for monitoring script sources and compliance with CSP.
   - roles: IT Administrators, SharePoint Administrators, DevOps Teams
   - references: https://www.microsoft.com/microsoft-365/roadmap?id=485797, https://aka.ms/spfx/csp" target="_blank" rel="nofollow noopener noreferrer">https://aka.ms/spfx/csp

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

Starting March 1, 2026, SharePoint Online will begin enforcing a security measure known as Content Security Policy (CSP). This change is like putting a filter on your email to block spam. Just as you would only allow emails from trusted contacts, CSP will ensure that only scripts from trusted sources can run on your SharePoint Online sites. This means that any custom solutions using SPFx (SharePoint Framework) will need to have their scripts sourced from approved locations. If not, these scripts will be blocked, similar to how spam emails are filtered out, which could cause some of your custom solutions to stop working as intended.

To prepare for this change, you can think of it like organizing a guest list for an event. You need to ensure that all the scripts (or guests) you want to use are on the trusted list (or guest list). If a script is not on this list, it will be blocked from running, just like an uninvited guest would be turned away at the door.

Additionally, any inline scripts, which are like handwritten notes passed during the event, need to be moved to a separate file. This file can then be added to the trusted list, ensuring it can be used without issue.

If you find that you need more time to make these adjustments, there is an option to delay the enforcement of CSP by 90 days using a PowerShell command. This is akin to extending the deadline for your event planning, giving you a bit more time to ensure everything is in order.

To identify which scripts need attention, you can use browser developer tools. These tools will show messages indicating which scripts will be blocked once CSP is enforced. It's like having a checklist that highlights which guests are not on the list, allowing you to take action before the event.

For more detailed guidance, you can refer to the provided links and resources. This change is designed to enhance security, ensuring that only trusted scripts can run on your SharePoint Online sites, much like ensuring only trusted individuals are allowed into a secure event.