Fix SharePoint CSP 'Refused to Load' — 2026 Enforcement

Time-sensitive Microsoft tightened Content Security Policy enforcement for SharePoint Online in 2026. Custom scripts, SPFx bundles, and third-party widgets that load from CDNs outside the tenant allowlist now show Refused to load the script or stylesheet errors in the browser console.

Open SharePoint Admin Center → Policies → Other features → Content Security Policy. Add each legitimate script-src and style-src origin your solutions require, save, and allow up to ~15 minutes for propagation. This is the durable fix—not a browser workaround.

Deep dive: SharePoint CSP blog and CSP allowlist guide. Use CSPFixer on a public mirror page if you need to enumerate blocked hosts.