With November 2023 cumulative update for SharePoint Server Server the following Content-Security-Policy header was included in the response of http requests:
Content-Security-Policy: frame-ancestors ‘self’ teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com;
This change causes problems for some customers which already have their own Content-Security-Policy response header in place with frame-ancestor values that specify where specific content is allowed to be framed.
March 2024 CU includes new functionality to allow customers to disable the SharePoint generated CSP header for a SharePoint farm to better support such scenarios.
This can be achieved using the following PowerShell script:
Add-PSSnapin Microsoft.SharePoint.PowerShell $farm = Get-SPFarm $farm.EnableCSPHeaderForPage = $false $farm.Update()
References:
Permalink
Hi Steve,
how to implement this content-Security-Policy header on office online server farm?
Thanks
Praveen
Permalink
Hello,
is it possible to add another site in this list ?
Thanks
Permalink
Hi Alexandre,
the sites are hard coded. What you can do is to disable the standard CSP header and add your own – e.g. in the IIS settings.
Cheers,
Stefan
Permalink
Thanks Stefan
Permalink
It seems possible to add to the list using farm settings with Powershell, items added to the generic list ‘AllowIframeAppAuthorizePageDomains’ will be added to the end of the ‘Content-Security-Policy’ header value ‘frame-ancestors’, with the default items from SharePoint.
Get the farm
$farm = Get-SPFarm
Add an item to the list
$farm.AddGenericAllowedListValue(“AllowIframeAppAuthorizePageDomains”, “mydomain.local”)
read the items in the list
$farm.GetGenericAllowedListValues(“AllowIframeAppAuthorizePageDomains”)
Permalink
Hello Stefan,
we experienced some issues because of that CSP-Header because it also prevents SharePoint-pages to be displayed in an iFrame. Some custom-solutions in our environment (SP 2019 On-Premises) utilize this and simply stopped working.
To solve this we added the ‘URL Rewrite’-Module in the frontend-server’s IIS and added the application’s URLs to the CSP-Header. This has solved the problem.
Now my question is:
Is it to be expected that further patches will ‘reset’ the header so that we will have to do this again?
With kind regards,
Johannes
Permalink
Hi Johannes,
this is not guaranteed.
You should better disable the header per the instructions above and add your own header (e.g. in the IIS settings).
Cheers,
Stefan
Permalink
Hi Stefan,
Can you pls set how to set missing CSP settings on SPO Sites ?
Permalink
Hi Ramesh,
it would require some research to see if this is possible.
Please open a support ticket with Microsoft to if you need this investigated.
Cheers,
Stefan