With November 2023 cumulative update for SharePoint Server Server the following Content-Security-Policy header was included in the response of http requests:
Content-Security-Policy: frame-ancestors ‘self’ teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com;
This change causes problems for some customers which already have their own Content-Security-Policy response header in place with frame-ancestor values that specify where specific content is allowed to be framed.
March 2024 CU includes new functionality to allow customers to disable the SharePoint generated CSP header for a SharePoint farm to better support such scenarios.
This can be achieved using the following PowerShell script:
Add-PSSnapin Microsoft.SharePoint.PowerShell $farm = Get-SPFarm $farm.EnableCSPHeaderForPage = $false $farm.Update()
References: