Introduction
Content Security Policy (CSP) is a critical browser security feature designed to protect web applications from threats like cross-site scripting (XSS), clickjacking, and other code injection attacks. CSP allows site owners to specify which resources (scripts, styles, images, etc.) a page can load, reducing the risk of malicious code execution. Please see SharePoint Online Content Security Policy (CSP): Enforcement Dates and Guidance | Microsoft Community Hub for information from Microsoft about this new feature that is being implemented within SharePoint Online.
With Microsoft set to enforce Content Security Policies (CSP) in SharePoint Online from 1st March 2026, we are providing this update to clarify the impact on Lightning Tools products.
CSP Scenarios
As described in the above article, Microsoft categorises script loading into specific scenarios to determine how they handle security policies.
Most Lightning Tools solutions operate under the following standard trusted scenarios:
- External CDN for SPFx Bundles: JavaScript bundles are hosted on a vendor-managed CDN.
- External Libraries via CDN: Libraries are loaded at runtime from a CDN.
We rely on the Office 365 CDN for our JavaScript bundles and external libraries. Because these are loaded from “public-cdn.sharepointonline.com” (formerly publiccdn), they are automatically added to the trusted sources list when the solution is installed in the App Catalog. Therefore, for the majority of our products, no manual action is required in the SharePoint Admin Center.
Exception: Lightning Conductor Legacy Calendar View
There is one specific exception for the Lightning Conductor regarding Inline Scripts.
The Legacy Calendar XSL view uses inline scripting. Under strict CSP enforcement, inline scripts (defined by Microsoft) are blocked.
If your organisation relies on this specific legacy view, it may be affected by the new policies. The modern views within the Lightning Conductor are not affected. We recommend recreating your legacy XSL calendar view using the modern JavaScript calendar view that's built into the Lightning Conductor client-side web part.
Please feel free to contact help@lightningtools.com if you have any questions or concerns; we would be happy to help.