question

aeonian avatar image
0 Votes"
aeonian asked JulieWang-MSFT answered

Content Security Policy Settings for SharePoint Site Collections

We are trying to add Content Security Policy(CSP) for SharePoint 2013 application. CSP will not allow inline scripts and styles. Hence the total site is getting collapsed. Adding "unsafe-inline" will fix the issue, but for security reasons, we are not adding "unsafe-inline". Have to fix the issue by adding "nonce" or encrypting with "Sha" values. How can we add "nonce" or "Sha" for all the scripts that are auto-generated in the SharePoint back-end or is there any alternate solution for it other than "unsafe-inline"

This link does not have an answer: https://social.technet.microsoft.com/Forums/en-US/8587394b-9421-43cb-a13e-1596d397a78e/adding-content-security-policy-for-sharepoint-2019?forum=SP2019

office-sharepoint-server-development
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JulieWang-MSFT avatar image
0 Votes"
JulieWang-MSFT answered

Hi @aeonian,

From these 1,2,3 articles for research, it's necessary to use Nonces and Hashes to allow Inline Scripts.

You can set the HTTP Response Headers GUI in IIS Manager or add customHeaders to your web.config:

81433-image.png

Since the content security policy is not within our scope of support, and I cannot find any official support, we provide less help on how to set up a detailed policy.

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.


If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (59.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.