Content Security Policy (CSP) changes in SharePoint Online

Microsoft is introducing Content Security Policy (CSP) enforcement in SharePoint Online to strengthen security against threats like cross-site scripting (XSS) and code injection. This change affects how scripts and custom solutions run in your SharePoint environment.

Key dates

• Now – February 28, 2026: CSP is in report-only mode. No scripts are blocked yet, but violations are logged.
• March 1, 2026: CSP enforcement begins. Non-compliant scripts will be blocked.
• Optional: You can delay enforcement by 90 days (until June 1, 2026) using PowerShell.

More details can be found here in this Microsoft blog

Brief technical summary

All inline non-compliant scripts will be blocked and must be re-written. Where external URLs are referenced within scripts, these must be added into the SharePoint central administration Trusted Sources.

Below is an example of an inline script. It is not CSP compliant and will be blocked from March 1st, 2026:

<script type="text/javascript">alert('inline script');</script>

Below is an example of a script referenced to a local source, as it references a JavaScript file located on the same server, it is CSP compliant and does not have to be included as a Trusted Script Source:

<script type="text/javascript" src="/SiteAssets/my-script-file.js"></script>

Below is an example of a script referencing an external source, in this case the URL or the domain must be defined as a Trusted Script Source in SharePoint in order to be CSP compliant:

<script type="text/javascript" src="https://www.externaldomain.com/example-js/my-script-file.js"></script>

Detect non CSP compliant scripts

You can already estimate the impact this policy will have on your environment. The following steps will help you identify the SharePoint pages that are not CSP compliant and the scripts that will be blocked from March 1st, 2026:

1. As an administrator, open Microsoft Purview purview.microsoft.com
2. Select Solutions > Audit
3. Create a report searching for Activity - Violated Content Security Policy to get a list of CSP violations.

Steps to ensure compliance

To be CSP compliant please follow theses instructions:

• Refactor inline scripts
• Configure additional trusted sources: Use SharePoint Admin Center to whitelist approved domains and URLs.
• Alternatively, delay the enforcement of the CSP (this is time limited however).

1. Refactor inline scripts

From the list of inline scripts obtained from the Audit described previously:

1. Move the script code into a separated .js file
2. Modify the script to use the .js file as a source
3. If the .js file is in an external domain (not SharePoint), add its URL to the list of Trusted Sources as described below.

2. Configure trusted sources in SharePoint Administration

The scripts identified in the Audit will have to be manually added to the SharePoint Trusted Script Sources:

• Go to SharePoint Admin Center:
• Navigate to Advanced > Script Sources
• After verifying the sources are safe, add the script URLs detected in the Purview Audit, as Trusted Script Sources.

3. Delay enforcement

If you need more time, you can delay CSP enforcement for your tenant by 90 days (until June 1, 2026) using the SharePoint Online Management Shell:

Set-SPOTenant -DelayContentSecurityPolicyEnforcement $true

Internal communication matters

End users may notice broken functionality or warning messages when CSP enforcement begins. We recommend:

• Proactive communication to explain the change and reassure users.
• Highlight that this is a security improvement, not a system failure.
• Provide clear escalation paths for reporting issues.

If you are a customer, check our Zendesk knowledge base for the more in-depth technical article.