Microsoft began enforcing Content Security Policy (CSP) across SharePoint Online on 1 March 2026. Tenants that ran Set-SPOTenant -DelayContentSecurityPolicyEnforcement $true in the SharePoint Online Management Shell received a 90-day extension, pushing their deadline to 1 June 2026. That window has now closed. Every SharePoint Online tenant is operating under full CSP enforcement with no opt-out remaining.
What Content Security Policy enforcement means for your tenant
CSP is a browser security standard that controls which scripts a page is permitted to load and execute. Under full enforcement, the following are blocked:
- Inline scripts embedded directly in page HTML, including scripts inside classic Script Editor web parts and Content Editor web parts.
- Scripts loaded from external domains not registered as trusted sources in the SharePoint admin center.
- SharePoint Framework (SPFx) solutions that load assets from CDN endpoints not present in the trusted sources list.
The most common symptom is a custom web part or embedded script that stops responding without any visible error in the SharePoint interface. Open browser developer tools (F12) - CSP violations appear in the console, one entry per blocked resource. Users typically report nothing more specific than "the web part stopped working."
Priority checks for SharePoint Online administrators
| What to check | Where to look | Priority |
|---|---|---|
| Classic Script Editor and Content Editor web parts containing inline JavaScript | Search site pages via SharePoint search; enumerate with PnP PowerShell Get-PnPWebPart |
High |
| External script sources not yet registered as trusted | SharePoint admin center → Settings → Advanced → Script sources | High |
| SPFx solutions loading assets from an unregistered CDN endpoint | Review app package manifests; check browser F12 console for CSP errors on affected pages | Medium |
| Third-party integrations or add-ins that inject scripts into SharePoint pages | Tenant app catalog in the SharePoint admin center | Medium |
How to register trusted external script sources
To allow a specific external domain to serve scripts on your SharePoint pages:
- Open the SharePoint admin center.
- Navigate to Settings → Advanced.
- Under Script sources, add each domain that needs to be trusted.
- Use wildcard entries where multiple subdomains are in use:
*.vendor.comcovers all subdomains in a single entry. - Save. Changes apply tenant-wide and take effect within a few minutes.
The tenant supports up to 300 trusted source entries. Consolidating entries with wildcards keeps the list manageable and reduces the risk of missing a subdomain variant.
For broader SharePoint environment health checks, the SharePoint permissions audit guide and the SharePoint permission levels reference cover the access governance side of a secure tenant configuration.
Frequently Asked Questions
What is Content Security Policy in SharePoint Online?
Content Security Policy (CSP) is a browser security standard that restricts which scripts a page is allowed to load and execute. In SharePoint Online, Microsoft now enforces CSP so that inline scripts and scripts loaded from untrusted external domains are blocked. Administrators must explicitly register approved external script sources in the SharePoint admin center.
Will my custom SharePoint web parts break because of CSP enforcement?
Modern SharePoint Framework (SPFx) solutions built to current standards are generally unaffected. Classic web parts that inject inline scripts or load from unregistered external URLs will be blocked. Script Editor web parts and Content Editor web parts containing inline JavaScript are the most likely to break and should be reviewed and refactored into external script files.
How do I add trusted script sources in SharePoint Online?
Open the SharePoint admin center, go to Settings, then Advanced, and look for the Script sources section. You can add up to 300 trusted external domains. Wildcards are supported (for example, *.yourdomain.com covers all subdomains). Changes apply tenant-wide.