What is the main fix for this issue?

See the step-by-step fix in the article above.

Does this affect all users?

See the affected platforms and versions described in the article.

CSP

How SharePoint Online Enforces CSP — And How to Work Around It

On March 1, 2026, Microsoft began enforcing Content Security Policy on SharePoint Online pages. Scripts that worked for years now produce "Refused to load" console errors. Here is exactly what changed and how to fix your SPFx components.

Affected Since

March 1, 2026 (enforcement). Optional delay to June 1, 2026 available via tenant settings. After June 1, no override is possible.

What Microsoft's SharePoint CSP actually blocks

SharePoint Online's enforced CSP blocks the following by default:

External script sources not on Microsoft's allowlist — including most CDN-loaded libraries
Inline scripts — <script>...</script> blocks injected into page markup
eval() and Function() constructors — dynamic code execution
Custom JavaScript files loaded from non-SharePoint domains

What is still allowed

Scripts from *.sharepoint.com and *.microsoft.com
Scripts uploaded to SharePoint document libraries (loaded from the same origin)
SPFx components deployed through the App Catalog
Scripts explicitly whitelisted via the tenant CSP settings

How to check what is blocked on your tenant

# Check tenant CSP setting
Get-SPOTenant | Select-Object DisableCustomAppAuthentication

# View current CSP headers on your SharePoint site
curl -I https://yourtenant.sharepoint.com/sites/yoursite | grep -i content-security

Fix 1 — Move scripts to SharePoint CDN or App Catalog

The safest fix: upload your JavaScript files to a SharePoint document library or deploy through the App Catalog. Both are on the allowed origin.

// SPFx webpart — reference local files instead of CDN
// Instead of:
// <script src="https://cdn.example.com/library.js"></script>

// Deploy library.js to:
// https://yourtenant.sharepoint.com/sites/yoursite/SiteAssets/library.js

// Or use SPFx externals in config/config.json to bundle it:
{ "externals": { "your-library": { "path": "https://yourtenant.sharepoint.com/sites/yoursite/SiteAssets/library.js", "globalName": "YourLibrary" } }
}

Fix 2 — Add your domain to the tenant CSP allowlist (admin)

# PowerShell — add external script source to tenant CSP
Connect-SPOService -Url https://yourtenant-admin.sharepoint.com

Add-SPOTenantCdnOrigin -CdnType Public -OriginUrl */SiteAssets
Set-SPOTenant -ContentSecurityPolicyConfiguration @{ DefaultSrc = @("'self'", "*.microsoft.com", "*.sharepoint.com", "https://cdn.yourdomain.com") ScriptSrc = @("'self'", "*.microsoft.com", "*.sharepoint.com", "https://cdn.yourdomain.com")
}

Fix 3 — Rewrite inline scripts as external files

If you have inline <script> blocks in Script Editor webparts or page content, move them to .js files in a document library:

// Before — inline script (blocked)
// <script>
// var x = document.getElementById('myEl');
// x.style.color = 'red';
// </script>

// After — external file in SiteAssets (allowed)
// <script src="/sites/yoursite/SiteAssets/myScript.js"></script>

How to delay enforcement to June 1, 2026

# Tenant admin — delay enforcement
Set-SPOTenant -ContentSecurityPolicyEnforcementDelay $true
# Note: This option expires June 1, 2026. Plan your migration now.

Use CSPFixer to scan your SharePoint page and see exactly which resources are being blocked. It outputs the corrected header values and fix instructions.

Scan your SharePoint page CSP → CSPFixer