Why am I seeing CSP errors in SharePoint after March 2026?

Microsoft enforced Content Security Policy on March 1, 2026. Scripts and styles loading from domains not in the SharePoint CSP allowlist are now blocked.

How do I fix SharePoint CSP refused to load errors?

Add your external script and style domains to the CSP allowlist in SharePoint Admin Center → Policies → Other features → Content Security Policy.

Is there a tool to scan which resources are being blocked?

Yes — CSPFixer (httpfixer.dev/csp) fetches your page and identifies all external resources that need to be added to your CSP.

SharePoint CSP "Refused to Load" Errors — March 2026 Fix

Microsoft enforced Content Security Policy for SharePoint Online on March 1, 2026, with a final deadline of June 1, 2026. IT departments are seeing "Refused to load the script" and "Refused to load the stylesheet" console errors. Here’s what changed, plus the exact config to fix it.

What Changed in March 2026

Microsoft began enforcing CSP headers on SharePoint Online pages. Custom web parts, SPFx solutions, and third-party scripts that load from unapproved origins are now being blocked. The error typically looks like:

"Refused to load the script 'https://cdn.example.com/widget.js' because it violates the following Content Security Policy directive: script-src..."

Why You're Seeing These Errors

SharePoint's enforced CSP defines directives such as default-src and script-src that primarily allow Microsoft's own CDNs and tenant-approved sources. Any custom script or stylesheet loaded from an external CDN that is not on your allowlist is blocked by the browser.

The Fix — Add Your Domain to the SharePoint CSP Allowlist

Update your tenant policy so legitimate origins are permitted:

Go to SharePoint Admin Center → Policies → Other features → Content Security Policy.
Add your external script hosts to the script-src allowlist.
Add your external stylesheet hosts to the style-src allowlist.
Save and wait up to 15 minutes for propagation across the service.

Fix for SPFx Web Parts

SPFx solutions that load external resources may need package-solution.json updated with a matching webApiPermissionRequests entry—or bundle assets locally instead of loading from an external CDN so they satisfy the enforced policy.

Quick Check — Use CSPFixer

Not sure which domains are being blocked? CSPFixer scans your page's actual resources and generates a working CSP automatically.

Scan your page with CSPFixer →

Temporary Workaround (use with caution)

Microsoft provides an optional deferral that pushes strict enforcement to June 1, 2026, via a tenant-level setting in the Microsoft 365 admin experience (check Message center and SharePoint admin release notes for the exact toggle name in your wave). Enabling it reduces breakage in the short term but does not replace fixing your allowlists; treat it as breathing room while you add legitimate origins, not as the final solution.

Resources

Microsoft Learn — SharePoint Online documentation (official updates; use admin Message center for CSP enforcement announcements tied to your tenant)
OWASP Content Security Policy guide (Secure Headers project)
MDN CSP reference