2026 (11 en 12 februari). Bekijk Ichicraft Boards voor het
Microsoft is in the final phase of rolling out stricter Content Security Policy (CSP) enforcement across SharePoint Online. These changes significantly improve tenant security — but they also require action from administrators who use third-party solutions, including Ichicraft Boards.
In this article we explain what is changing, why Microsoft is doing this, and what you need to configure to ensure Ichicraft Boards continues to work without interruption.
What is changing?
Microsoft is tightening the CSP rules applied to SharePoint Online pages. CSP is a browser security mechanism that controls which domains are allowed to load and execute JavaScript.
You may have noticed warnings like the following in your browser console:
Until now, SharePoint has been running these new CSP rules largely in report-only mode. That means:
- non-approved scripts are logged as warnings
- but they are still allowed to load
Starting March 1, 2026, Microsoft will enforce these rules.
Once enforcement is enabled:
- scripts loaded from domains that are not explicitly trusted will be blocked by the browser
- affected web parts and extensions will fail to load
Why Microsoft is enforcing CSP
This change is part of Microsoft’s broader security hardening strategy for Microsoft 365.
Enforced CSP:
- reduces the risk of cross-site scripting (XSS) attacks
- prevents unexpected or injected scripts from running
- gives tenant administrators explicit control over which script sources are trusted
This aligns SharePoint Online with modern web security standards and browser expectations.
⚠️ Action required before March 1 ⚠️
Microsoft will enforce stricter Content Security Policy (CSP) rules in SharePoint Online by March 1, 2026.
Required permissions
You need to be either a SharePoint Administrator or Global Administrator to perform these actions.
If no action is taken before March 1, Ichicraft Boards will stop working in affected tenants.
What you need to do:
- Go to the SharePoint Admin Center (typically at URL https://[tenant]-admin.sharepoint.com)
- Open Advanced → Script sources
Ensure the following 2 URLs are present:
- https://ichicraft-widgetboard.azurewebsites.net
- https://ichicraft.azureedge.net
In some tenants, SharePoint automatically adds a URL similar to https://ichicraft-widgetboard.azurewebsites.net/s/1 to the Trusted script sources.
This entry is automatically generated by SharePoint but is not required once the two (root) URLs listed above are configured. You can safely remove it if desired.
If you’re using Ichicraft Board’s Analytics feature, make sure that the script locations of the plugins you use are also configured in the Trusted script sources.
For example, if you’re using Google Analytics and load the plugin from https://cdn.jsdelivr.net, you’ll have to add this source to the list as well. You could add https://cdn.jsdelivr.net to trust the entire domain, or add https://cdn.jsdelivr.net/npm/@analytics/google-analytics/ to only allow specific script files.
Verifying your configuration
After completing the upgrade or adding trusted sources:
- Open your Ichicraft Boards installation in SharePoint.
- Verify that all widgets load correctly and there are no CSP warnings in the browser console.
- If you encounter issues or if you need any advice on this subject, reach out to our support team at boards@ichicraft.com.
