Control Content-Security-Policy Header for SharePoint Pages

With November 2023 cumulative update for SharePoint Server Server the following Content-Security-Policy header was included in the response of http requests:

Content-Security-Policy: frame-ancestors ‘self’ * * * * * * * * * * * *;

This change causes problems for some customers which already have their own Content-Security-Policy response header in place with frame-ancestor values that specify where specific content is allowed to be framed.

March 2024 CU includes new functionality to allow customers to disable the SharePoint generated CSP header for a SharePoint farm to better support such scenarios.
This can be achieved using the following PowerShell script:

Add-PSSnapin Microsoft.SharePoint.PowerShell
$farm = Get-SPFarm
$farm.EnableCSPHeaderForPage = $false


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.