9,603 questions
Why does Outlook Web media-src CSP block all media not hosted with Microsoft
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 66%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
adithya
5
Reputation points
I have encountered an issue with Outlook Web where media content (such as images) hosted on non-Microsoft domains is being blocked from loading. After investigation, it appears that the Content Security Policy (CSP) for media-src is strictly set to allow only Microsoft-owned domains.
Example of the issue:
-> Media URL (not loading in Outlook Web): https://mydomain.com/media/sample-image.png.
-> Error in browser console: Refused to load media from 'https://mydomain.com/media/sample-image.png' because it violates the following Content Security Policy directive: "media-src ...".
Can you please clarify the intended behaviour of this CSP policy?
Outlook Windows Classic Outlook for Windows For business
{count} vote
-
Hornblower409-4652 395 Reputation points2025-06-21T13:00:33.23+00:00 Has the understatement of the year - "I'm aware Outlook Online's CSP policy is arbitrary"
Sign in to comment
Sign in to answer