SharePoint: Content Security Policy Control in Tenant Administration

🚨 The Signal: SharePoint Online now allows tenant administrators to define and enforce Content Security Policies (CSP) for modern pages. This enables control over script sources, reducing the risk of cross-site scripting (XSS) and content injection from unapproved external sources.

The Impact

SharePoint administrators and security teams are affected, with a reduced risk of client-side attacks from untrusted script sources.

• SharePoint Administrators: Gain new controls to manage script sources.
• Security Teams: Reduced risk of XSS and content injection attacks.
• Developers: Custom code on modern pages may require source approval.
• End Users: Improved protection against malicious scripts on SharePoint pages.

The Action

1. Review existing custom code on modern SharePoint pages for external script dependencies.
2. Identify all necessary external script sources (e.g., CDNs) required for custom solutions.
3. Use SharePoint Online Management Shell to configure allowed script sources for your tenant.
4. Enable CSP enforcement to block scripts from unapproved sources.
5. Monitor SharePoint reports for blocked script attempts to identify unapproved sources.

Domain: SharePoint · Impact: high · Workload: SharePoint · Essential Eight: User Application Hardening · ISM: ISM-1412, ISM-1485, ISM-1486, ISM-1542, ISM-1585, ISM-1667, ISM-1668, ISM-1669, ISM-1670, ISM-1823, ISM-1824, ISM-1859, ISM-1860