Microsoft updates Content Security Policy - what does this mean for your Intranet?

Content Security Policy (CSP) is a critical browser security feature designed to protect web applications from threats like cross-site scripting (XSS), clickjacking, and other code injection attacks. CSP allows site owners to specify which resources (scripts, styles, images, etc.) a page can load, reducing the risk of malicious code execution.

When a page loads, the browser checks every script request against the CSP rules set by SharePoint Online. If a script’s source is not explicitly allowed, the browser blocks it and logs a violation. This applies to both external scripts and inline scripts (JavaScript embedded directly in HTML or event handlers).

Timeline - March 1, 2026

CSP will be enforced for all customers, unless there was a temporary opt-out which delays enforcement until June 1, 2026.
Opt-out via PowerShell: Set-SPOTenant -DelayContentSecurityPolicyEnforcement $true

We recommend temporarily opting out. This will extend the deadline for the new updated CSP enforecement until June 1, 2026. If you still have questions after reading this article, please contact Involv support.

Timeline - June 1, 2026

CSP will be enforced for all customers. Temporary opt-out stops working.

How can you test the enforcement right now?

Put the parameter ?csp=enforce at the end of your page URL and reload the page. Note that a couple of refreshes may be needed for the CSP enforced mode to become active.

What does this mean for your intranet?

The change will mainly affect Script Editors and RSS feeds - these web parts are used for executing custom code on pages and loading external content into your intranet.

External content: Some clients use an RSS feed to display social or other external content on their intranet. CSP will block RSS links by default. External links can be whitelisted by adding them to your Trusted Sources in the SharePoint Admin Portal (More information).
Internal code: Involv consultants regularly use script editors to apply custom refinements to your intranet. CSP may break some things in those custom scripts. If you experience any problems, please contact our support. We will look for a solution.
Code editors: Our Script Editor web part and Search web part (for the Handlebars section) use the Monaco Editor. This editor will be blocked by the CSP update. Please contact Involv support for an update to restore the code editor within these web parts.

Solutions

Applying below solutions requires advanced technical knowledge and permissions and is therefore mainly intended for Involv consultants and partners.
Please contact your internal IT department or Involv support in case you notice issues when testing the CSP enforcement.

External content:
- Add external URLs to Trusted Sources
- Temporary/alternative solution: download the script from the external source and put it inside a JavaScript file. Put this file in the Site Assets folder of your SP site (preferably in a Scripts subfolder under Site Assets). Next, you can load this file inside of the Script Editor as follows:
  
  <script src=/sites/Intranet/SiteAssets/Scripts/script.js" type="text/javascript"></script>
Internal code and code editors (Involv version 5.3)
- Plain JavaScript inside of script tags will be blocked by CSP. Involv has prepared a solution in version 5.3. If your Intranet is already on this version, no action is needed. Otherwise, contact Involv support: we will update your Intranet to the latest version.
- Inline event handlers, DOM level 0, will permanently be blocked by the updated CSP. Please ask the script author(s) or manager(s) to replace any inline handlers by DOM level 2 handlers by attaching them via event listeners.