Skip to main content

Microsoft SharePoint CSP enforcement: Ensuring security for BindTuning products

Prioritizing security and platform resilience is essential for maintaining a high-performing Microsoft 365 environment.

Written by BindTuning Team
Updated over a week ago

Microsoft is introducing a significant security enhancement to SharePoint Online: the full enforcement of Content Security Policy (CSP) starting March 1, 2026.

This update marks a transition from "report-only" mode to a strict blocking model. To ensure uninterrupted functionality for your intranet, it is vital to understand how these changes impact customizations and how BindTuning has proactively prepared your tools for this transition.

Defining content security policy (CSP)

Content Security Policy is a robust, browser-level security standard designed to safeguard users against modern web threats, including:

  • Cross-site scripting (XSS)

  • Clickjacking

  • Unauthorized script or resource injections

CSP functions by explicitly defining trusted sources for scripts, styles, and images. Once enforced, any asset not originating from a permitted source is automatically blocked by the browser.

While Microsoft has utilized "report-only" headers for several years to log violations without affecting site performance, the upcoming enforcement will actively block non-compliant resources.

Enforcement timeline

Microsoft has outlined a clear transition path for CSP enforcement within SharePoint Online:

  • April 2025 – February 28, 2026: CSP remains in report-only mode. Violations are logged for administrative review but do not impact site functionality.

  • March 1, 2026: Full enforcement begins. SharePoint Online will start blocking scripts and resources that fail to comply with defined CSP rules.

  • Optional 90-day Delay: Administrators may postpone enforcement until June 1, 2026, via PowerShell if additional time is required for tenant-wide adjustments.

How BindTuning products align with CSP standards

BindTuning is committed to delivering future-proof solutions. We have proactively audited and updated our entire product line, including Themes, Web Parts, and our Accessibility Toolto ensure full compatibility with Microsoft’s strict blocking model.

Accessibility Tool

The BindTuning Accessibility product is fully compliant with CSP requirements. It does not rely on inline scripts or external, untrusted sources. Customers utilizing this tool will experience zero impact when enforcement begins.

Themes and Web Parts

We have completed comprehensive refactoring of our modern Themes and Web Parts to align with Microsoft’s latest security guidelines. Our updates include:

  • Eliminating script dependencies that conflict with CSP.

  • Ensuring all assets load from trusted, compliant sources.

  • Updating SPFx packaging to meet the highest security standards.

  • Validating components against CSP logs during the preview period.

To benefit from these security enhancements, all customers should ensure they are running the latest versions of BindTuning modern Themes and Web Parts.

If you have installed a BindTuning product for the first time or updated your existing solutions on or after February 10, 2026, your products are already fully optimized for CSP enforcement. No further changes or updates to our products are required.

Recommended action steps for customers

To ensure a seamless transition and a secure intranet experience, we recommend the following:

  1. Update BindTuning products: Verify that you are running the latest versions of your Themes and Web Parts via the BindTuning platform.

  2. Update Trusted Script Sources: SharePoint Admin center (https://contoso-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/contentSecurityPolicy)

    1. BindTuning Themes: Any URLs configured in the BindTuning Themes Settings panel under Additional Resources should be added to the Trusted Script Sources list.

    2. BindTuning Web Parts: To ensures the web parts can load external content correctly and prevents functionality issues when CSP enforcement is enabled, please add the below domains on the Trusted Script Sources if using one of the web parts.

      1. BindTuning Maps with the Google Maps provider, add https://maps.googleapis.com.

      2. BindTuning Social with the Pinterest provider, add https://*.pinterest.com.

      Adding these domains will prevent scripts from being blocked when Microsoft enforces Content Security Policy (CSP) and ensure your themes and web parts continue to work correctly.

  3. Review built-in and other third-party custom scripts: If your organization uses "Script Editor" web parts or legacy "CEWP hacks" outside of BindTuning products, these will likely fail under CSP. Plan to migrate these to SPFx-based solutions.

  4. Monitor tenant logs (Optional): During the report-only phase, administrators can review CSP violation logs in the browser console to identify any non-BindTuning scripts that may require attention.

The enforcement of CSP is a significant step forward in securing the Microsoft 365 ecosystem. By choosing BindTuning, you are backed by a partner that prioritizes modern, secure development patterns.

Our proactive updates ensure that your intranet remains functional, modern, and secure at all times.

Official documentation: https://learn.microsoft.com/en-us/sharepoint/dev/spfx/content-securty-policy-trusted-script-sources

Did this answer your question?