SharePoint Online Content Security Policy Update
This guidance applies only to Employee Intranet versions earlier than 1.15.0. From 1.15.0 onward, all third-party dependencies that required entries in SharePoint Online’s Content Security Policy (CSP) have been removed, so no additional CSP configuration is needed.
To ensure the Employee Intranet functions correctly with SharePoint Online’s Content Security Policy (CSP), clients must update their trusted script sources. This is critical to prevent issues with script execution and maintain compatibility with the latest security updates. Microsoft plans to enforce script blocking for non-compliant scripts in Q4 2025 (October–December 2025), so immediate action is recommended to avoid disruptions.
Key Actions for Clients
Add Trusted Script Sources
Update the CSP settings in your SharePoint Admin Center (https://<tenant>-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/contentSecurityPolicy) to include the following URLs:
Translation Files: These URLs load translation files for literals used in the Employee Intranet interface:
https://togo.azureedge.net/locales/<version>/<language>/togo-spfx.jsonhttps://togo.azureedge.net/locales/<version>/<language>/togo-common.jsonhttps://togo.azureedge.net/locales/<version>/<language>/togo-design-system.jsonhttps://togo.azureedge.net/locales/<version>/<language>/togo-ui-core.jsonhttps://togo.azureedge.net/locales/<version>/<language>/togo-base.jsonhttps://togo.azureedge.net/locales/<version>/<language>/togo-product-news.json
Note: Replace
<version>with your product version (e.g.,x.y.z) and<language>with the appropriate language code (e.g.,en-US,es-ES).
Third-Party Libraries: These URLs load trusted third-party libraries used in the logic of Employee Intranet components, sourced from secure and reputable domains:
https://cdn.jsdelivr.net/npm/react-beautiful-dnd@13.0.0/dist/react-beautiful-dnd.min.jshttps://cdn.jsdelivr.net/npm/emotion@10.0.5/dist/emotion.umd.min.jshttps://cdn.jsdelivr.net/npm/i18next@20.0.0/i18next.min.jshttps://cdnjs.cloudflare.com/ajax/libs/pnp-pnpjs/1.3.9/pnpjs.es5.umd.bundle.min.jshttps://cdnjs.cloudflare.com/ajax/libs/dexie/3.2.2/dexie.min.jshttps://cdnjs.cloudflare.com/ajax/libs/react-ace/5.8.0/react-ace.min.jshttps://cdnjs.cloudflare.com/ajax/libs/jszip/3.5.0/jszip.min.jshttps://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.13.1/highlight.min.js
Webpart Icons: These URLs load SVG icons for Employee Intranet webparts, ensuring proper rendering in the interface:
https://togo.azureedge.net/webpart-icons/Webpart-Icon_Dashboard.svghttps://togo.azureedge.net/webpart-icons/Webpart-Icon_Customizable_Quick_Link.svghttps://togo.azureedge.net/webpart-icons/Webpart-Icon_Activity_Stream.svghttps://togo.azureedge.net/webpart-icons/Webpart-Icon_Illustration.svghttps://togo.azureedge.net/webpart-icons/Webpart-Icon_People_Search.svghttps://togo.azureedge.net/webpart-icons/Webpart-Icon_Related_Content.svghttps://togo.azureedge.net/webpart-icons/Webpart-Icon_Related_People.svghttps://togo.azureedge.net/webpart-icons/Webpart-Icon_Related_Tags.svghttps://togo.azureedge.net/webpart-icons/Webpart-Icon_Searchbox.svghttps://togo.azureedge.net/webpart-icons/Webpart-Icon_Tour.svg
Fallback Image: This URL loads a fallback image used when primary images are unavailable in the Employee Intranet:
https://togo.azureedge.net/images/fallback.avif
Test CSP Changes
After updating, verify that all Employee Intranet features, such as dashboards and custom components, function as expected.
Monitor for Issues
Regularly check for script-related errors in your browser’s developer console to ensure compliance with the CSP.
Why This Matters
SharePoint Online’s CSP enhances security by restricting script sources to trusted domains. Starting in Q4 2025, scripts not listed in the trusted sources will be blocked, potentially causing the Employee Intranet to malfunction and impacting user experience.
For more details on configuring CSP in SharePoint Online, refer to the official Microsoft documentation: Support for Content Security Policy (CSP) in SharePoint Online.
For assistance, contact our support team via the Employee Intranet portal.