Control Content-Security-Policy Header for SharePoint Pages

With November 2023 cumulative update for SharePoint Server Server the following Content-Security-Policy header was included in the response of http requests:

Content-Security-Policy: frame-ancestors ‘self’ teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com;

This change causes problems for some customers which already have their own Content-Security-Policy response header in place with frame-ancestor values that specify where specific content is allowed to be framed.

March 2024 CU includes new functionality to allow customers to disable the SharePoint generated CSP header for a SharePoint farm to better support such scenarios.
This can be achieved using the following PowerShell script:

Add-PSSnapin Microsoft.SharePoint.PowerShell
$farm = Get-SPFarm
$farm.EnableCSPHeaderForPage = $false
$farm.Update()

References:

9 Comments


  1. Hi Steve,

    how to implement this content-Security-Policy header on office online server farm?

    Thanks
    Praveen

    Reply

  2. Hello,

    is it possible to add another site in this list ?

    Thanks

    Reply

    1. Hi Alexandre,
      the sites are hard coded. What you can do is to disable the standard CSP header and add your own – e.g. in the IIS settings.
      Cheers,
      Stefan

      Reply

    2. It seems possible to add to the list using farm settings with Powershell, items added to the generic list ‘AllowIframeAppAuthorizePageDomains’ will be added to the end of the ‘Content-Security-Policy’ header value ‘frame-ancestors’, with the default items from SharePoint.

      Get the farm

      $farm = Get-SPFarm

      Add an item to the list

      $farm.AddGenericAllowedListValue(“AllowIframeAppAuthorizePageDomains”, “mydomain.local”)

      read the items in the list

      $farm.GetGenericAllowedListValues(“AllowIframeAppAuthorizePageDomains”)

      Reply

  3. Hello Stefan,

    we experienced some issues because of that CSP-Header because it also prevents SharePoint-pages to be displayed in an iFrame. Some custom-solutions in our environment (SP 2019 On-Premises) utilize this and simply stopped working.
    To solve this we added the ‘URL Rewrite’-Module in the frontend-server’s IIS and added the application’s URLs to the CSP-Header. This has solved the problem.
    Now my question is:
    Is it to be expected that further patches will ‘reset’ the header so that we will have to do this again?

    With kind regards,
    Johannes

    Reply

    1. Hi Johannes,
      this is not guaranteed.
      You should better disable the header per the instructions above and add your own header (e.g. in the IIS settings).
      Cheers,
      Stefan

      Reply

  4. Hi Stefan,
    Can you pls set how to set missing CSP settings on SPO Sites ?

    Reply

    1. Hi Ramesh,
      it would require some research to see if this is possible.
      Please open a support ticket with Microsoft to if you need this investigated.
      Cheers,
      Stefan

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.