Try ShortPoint nowMicrosoft is rolling out Content Security Policy (CSP) enforcement across SharePoint Online. This security standard controls how scripts, styles, and external resources load on a page. When enforced, custom solutions, such as SPFx web parts, extensions, embedded scripts, or third-party integrations, that use unsafe patterns will stop working.
If you use ShortPoint customization features like the Theme Builder, the Code Design Element, or the Global Scripts and Styles, this article shows you how to test for CSP compliance using a simple URL parameter.
TABLE OF CONTENTS
- Understanding CSP in SharePoint
- ShortPoint and CSP Enforcement
- How to Simulate Enforcement: The ?csp=enforce Query Parameter
- How to Test in Report-Only Mode: The ?csp=report Query Parameter
- How to Read a CSP Error
- What to Look For: Common CSP Violations in SharePoint
- Recommended Testing Workflow
- Summary
- Frequently Asked Questions
ShortPoint and CSP Enforcement
Microsoft is tightening CSP rules in SharePoint Online to protect against cross-site scripting (XSS) and other injection attacks. If you use custom JavaScript in the Theme Builder, the Code Design Element, or the Global Scripts and Styles feature, CSP enforcement may block your customizations. Inline scripts and JavaScript loaded from external sources (CDNs, third-party libraries) will likely be blocked unless they're from approved domains.
Use the steps below to detect potential CSP violations from any of your customizations.
How to Simulate Enforcement: The ?csp=enforce Query Parameter
SharePoint Online lets you simulate CSP enforcement on any page by adding ?csp=enforce to the URL. This will help in showing you exactly what would break.
Follow these steps:
Step 1: Open your SharePoint page
Navigate to the SharePoint page you want to test. Focus on pages with Theme Builder and Global Scripts and Styles customizations, and pages with Code Design Elements embedding content or third-party integrations. These are most likely to be affected.
Step 2: Add ?csp=enforce to the URL
Go to your browser's address bar and add ?csp=enforce to yourURL.
For example:
https://yourtenant.sharepoint.com/sites/yoursite/SitePages/Home.aspx?csp=enforce
If the URL already has query parameters, use &csp=enforce:
https://yourtenant.sharepoint.com/sites/yoursite/SitePages/Home.aspx?env=WebView&csp=enforce
Step 3: Open your browser's Developer Tools
Do any of the following to launch your browser's Developer Tools, then go to the Console tab.
- Right-click anywhere on the page, then click Inspect.
- Press F12orCtrl+Shift+I(Windows) /Cmd+Option+I(Mac)
Step 4: Look for CSP violation errors
CSP violations appear as red error messages.
Here are some examples:
Refused to execute inline script because it violates the following
Content Security Policy directive: "script-src 'nonce-...' 'strict-dynamic'"
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not
an allowed source of script in the following Content Security Policy directive: ...
Refused to load the script '<https://example.com/somescript.js>' because it
violates the following Content Security Policy directive: ...
Step 5: Test page functionality
Beyond checking console errors, you will also need to interact with the page. Click buttons, open integrations, trigger dynamic behavior. Some violations only appear when specific code runs, not on initial load.
Repeat these steps for all pages with custom components. CSP compliance is component-specific. A web part that works on one page might fail on another if it loads different scripts conditionally.
How to Read a CSP Error
A CSP console error shows three things:
- What was blocked: The resource type (script, style, frame, image, etc.)
- Which directive was violated: e.g., script-src,style-src,frame-src
- The offending source: The URL or indication that it was inline content
Example:
Refused to load the script '<https://cdn.example.com/widget.js>' because it
violates the following Content Security Policy directive: "script-src 'nonce-abc123' 'strict-dynamic' ..."
This means cdn.example.com/widget.jsisn't in the trusted script sources and needs to be added. Refer to our article on Managing Trusted Script Sources for JavaScript Customizations in ShortPoint for more details on how to do this.
What to Look For: Common CSP Violations in SharePoint
| Violation | Typical Cause | How to Fix |
|---|---|---|
| Inline script blocked | <script> t tags injected via Code Design Element / Global Scripts and Styles / Custom JavaScript in Theme Builder | Move code into external .js file and reference it as an external script |
| Inline event handler blocked | HTML attributes like onclick="doSomething()" or onload="init()" | Use addEventListener() in your JavaScript code instead |
| External script blocked | Loading scripts from CDNs or third-party domains not in the allow list | Add the external script source as a trusted domain by following the steps in the article linked |
Summary
Testing for CSP compliance is straightforward: add ?csp=enforce to your SharePoint page URL, open DevTools, and check for console errors. Test now before Microsoft enables enforcement for your tenant. Every inline script and unvetted external resource is a potential failure point. Identifying and fixing these issues proactively will prevent scrambling when enforcement goes live.
Frequently Asked Questions
Does ?csp=enforce affect other users?
No. The query parameter only affects your specific page load. Other users won't see enforcement unless your tenant has enabled it globally.
Will Microsoft eventually enforce CSP without the query parameter?
Yes. Microsoft is rolling out CSP enforcement across SharePoint Online on March 1, 2026. The query parameter lets administrators and developers prepare in advance. Read Content Security Policy (CSP) in SharePoint Online: What It Is and Why It Matters to learn more.
Can I whitelist a specific external domain?
Yes. In SharePoint Admin Center, navigate to Advanced > Script sources and add the domain as a trusted script source. Once added, scripts from that domain will be allowed under CSP enforcement. You can check out our article on Managing Trusted Script Sources for JavaScript Customizations in ShortPoint for more details.
Related articles:
- Content Security Policy (CSP) in SharePoint Online: What It Is and Why It Matters
- Quick Guide to Ensuring ShortPoint Compatibility with Microsoft’s Content Security Policy (CSP)
- Managing Trusted Script Sources for JavaScript Customizations in ShortPoint
- Ensuring ShortPoint CSP Compliance via Manual Domain Authorization
