SharePoint 2019 Penetration Test issues with Content-Security-Policy

Venkateswarlu Ambala 20 Reputation points
2023-12-13T09:41:50.5233333+00:00

Currently I am working on SharePoint Penetration Test issues fixing. I am not able to find the fix details for two Content-Security-Policy properties (frame-ancestors 'none' and object-src 'none') in SharePoint 2019.

a. Content-Security-Policy: default-src 'self';

I have received below error message after applying "frame-ancestors 'none'". in SharePoint 2019 web config.

<add name="Content-Security-Policy" value="default-src 'self';"/>

Error Message:

Refused to execute inline event handler because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

b. Content-Security-Policy: frame-ancestors 'none'.

SharePoint outofbox popups are not working after applying "frame-ancestors 'none'". in SharePoint 2019 web config and getting the below error message.

<add name="Content-Security-Policy" value="frame-ancestors 'none';"/>

Error Message: Refused to frame 'http://sharepoint.testing.com/ because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".

I have searched in google to fix these issues, but no one given any solution. kindly someone help provide at least Risk Acceptance MS Links to close this issue or provide if have a solution to close this issue.

Microsoft 365 and Office | SharePoint | For business | Windows
0 comments No comments
{count} votes

Accepted answer
  1. Xyza Xue_MSFT 30,176 Reputation points Microsoft External Staff
    2023-12-14T02:53:11.6066667+00:00

    Hi @Venkateswarlu Ambala ,

    Content Security Policy (CSP) is currently supported in model-driven and canvas Power Apps.

    Reference:https://learn.microsoft.com/en-us/power-platform/admin/content-security-policy

    In fact we are currently providing help on SharePoint in the Q&A forum, and Power Apps is a product independent of SharePoint which we are not so familiar with. We do not have access to internal risk acceptance MS links. So I suggest you start a new discussion in the Power Apps Community on this issue so that you can get more professional help,there will be very professional people to tell you the solution to close this issue.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.