Fix SharePoint Content Security Policy — 2026

URGENT SharePoint enforces CSP against third-party CDNs and inline dependencies that are not tenant-approved. Add each required host under Admin Center CSP settings; SPFx packages that pull widgets remotely must either bundle locally or update manifest permissions.

Failure looks like console violations naming script-src or style-src. Document every external dependency during PR review so the allowlist stays intentional.