Applies to: Powell Software on SharePoint Online
Last updated: March 2026
Audience: IT Administrators · Portal Administrators · Developers
Table of Contents
- What is Content Security Policy?
- SharePoint Online CSP Enforcement
- How Powell Software Manages CSP
- Authorized Domains — Complete List
- External JavaScript Libraries
- Troubleshooting — If a Resource is Blocked
- FAQ
1. What is Content Security Policy?
A Content Security Policy (CSP) is a browser security mechanism that controls which external domains a web application is allowed to load resources from — scripts, stylesheets, images, and more.
When a resource is loaded from a domain not listed in the policy, the browser blocks it and logs an error. This protects your portal against:
- Cross-Site Scripting (XSS) — injected malicious scripts
- Data injection attacks — unauthorized data exfiltration
- Supply chain attacks — unexpected third-party code execution
SharePoint Online applies CSP at the tenant level through its Trusted Script Sources setting. Any external script or stylesheet loaded by Powell Software must be declared in this list, or it will be blocked.
2. SharePoint Online CSP Enforcement
SharePoint Online began enforcing CSP on March 1, 2026. Any external resource not declared in Trusted Script Sources is now blocked on all modern SharePoint pages.
Timeline
| Date | Status |
|---|---|
| Before March 1, 2026 | Reporting mode — violations logged but not blocked |
| March 1, 2026 | Enforcement active — unlisted resources are blocked |
| June 1, 2026 | End of optional 90-day delay period |
Emergency Delay (IT Admins only)
If CSP enforcement causes a critical outage, a tenant administrator can delay enforcement by 90 days using the SharePoint Online Management Shell:
Set-SPOTenant -DelayContentSecurityPolicyEnforcement $true # Important: Run Get immediately after Set to persist the change (known issue) (Get-SPOTenant).DelayContentSecurityPolicyEnforcement
This delay expires permanently on June 1, 2026. Use only as a last resort.
Test CSP on a Specific Page
To test CSP enforcement on a page without changing tenant settings, append one of these parameters to the page URL:
| Parameter | Effect |
|---|---|
?csp=enforce |
Simulate enforcement (blocks unlisted resources) |
?csp=report |
Reporting mode only (logs violations, does not block) |
3. How Powell Software Manages CSP
Powell Software automatically manages the list of authorized external domains as part of its deployment and update process. When you provision a Powell Software site or run a synchronization from Powell Manager, the required domains are added to your SharePoint tenant's Trusted Script Sources.
You do not need to manually manage Trusted Script Sources for Powell Software features. The synchronization handles this automatically.
Limits
SharePoint Online supports a maximum of 300 entries in Trusted Script Sources. Powell Software uses 22 entries, leaving ample room for your own custom additions.
4. Authorized Domains — Complete List
The following 22 domains are managed by Powell Software and are automatically added to your tenant's Trusted Script Sources during synchronization.
| Domain / Pattern | Category | Used By |
|---|---|---|
*.powell-software.com |
Powell Software CDN & APIs | All Powell Software features (assets, API calls) |
https://cdn.jsdelivr.net/npm/froala-editor/ |
Rich Text Editor | Content editing in pages and widgets |
https://cdn.jsdelivr.net/npm/froala-editor-paragraph-format-extended-plugin@0.2 |
Rich Text Editor | Extended paragraph formatting in the editor |
https://cdn.jsdelivr.net/npm/chart.js |
Data Visualization | Charts in Analytics, Survey, and Planner widgets |
https://cdn.jsdelivr.net/npm/chartjs-adapter-moment |
Data Visualization | Date/time axis support in Chart.js |
https://cdn.jsdelivr.net/npm/adaptivecards |
Adaptive Cards | Microsoft Adaptive Cards rendering |
https://cdn.jsdelivr.net/npm/adaptivecards-templating |
Adaptive Cards | Adaptive Cards template engine |
https://cdn.jsdelivr.net/npm/fabric |
Canvas & UI | Flexdesk / Space management canvas |
https://cdn.jsdelivr.net/npm/browser-image-compression/ |
Image Handling | Image optimization before upload |
https://cdn.jsdelivr.net/npm/modern-screenshot/dist/index.js |
Utilities | Screenshot capture in Content Builder |
https://cdnjs.cloudflare.com/ajax/libs/cropperjs/ |
Image Handling | Image cropping (profile photos, media) |
https://cdnjs.cloudflare.com/ajax/libs/ace/ |
Code Editor | Code editor in AI Module and REST API widget |
https://cdnjs.cloudflare.com/ajax/libs/angularjs-color-picker/ |
UI Controls | Color picker inputs in settings |
https://cdnjs.cloudflare.com/ajax/libs/angular-i18n/ |
Internationalization | AngularJS locale/date formatting |
https://cdnjs.cloudflare.com/ajax/libs/pdfobject/ |
Document Viewer | PDF rendering in document widgets |
https://cdnjs.cloudflare.com/ajax/libs/leaflet/ |
Maps | Embedded maps (non-Google provider) |
https://maps.googleapis.com/maps/api/js |
Maps | Google Maps integration |
https://maps.googleapis.com |
Maps | Google Maps tile and data requests |
https://apis.google.com |
Google APIs | Google API client (YouTube, Drive) |
https://www.youtube.com |
Media | YouTube embed player |
https://connect.facebook.net |
Social | Facebook Share button |
https://az416426.vo.msecnd.net |
Microsoft CDN | Azure Application Insights telemetry |
5. External JavaScript Libraries
Powell Software loads several third-party JavaScript libraries on demand — only when the feature that needs them is used. This approach reduces initial page load time and avoids loading code for features that are not active.
All libraries listed below are loaded from public CDNs (jsDelivr or cdnjs.cloudflare.com) and are covered by the CSP entries in section 4.
Rich Text Editing
Froala Editor
| Attribute | Value |
|---|---|
| Library | Froala Editor |
| Version | 3.2.7 |
| CDN | https://cdn.jsdelivr.net/npm/froala-editor@3.2.7/ |
| Used by | Page editor, News editor, all content authoring widgets |
| Why dynamic | Only loaded when the user opens an editable content area |
Also loads: - Language packs (/js/languages/[locale].js) based on the user's interface language - Paragraph Format Extended plugin (froala-editor-paragraph-format-extended-plugin@0.2)
Data Visualization
Chart.js
| Attribute | Value |
|---|---|
| Library | Chart.js |
| Version | 3.9.1 |
| CDN | https://cdn.jsdelivr.net/npm/chart.js@3.9.1/dist/chart.min.js |
| Used by | Analytics widget, Survey widget, Planner widget, custom chart widgets |
| Why dynamic | Loaded only when a chart widget is present on the page |
Chart.js Moment Adapter
| Attribute | Value |
|---|---|
| Library | chartjs-adapter-moment |
| Version | ^1 |
| CDN | https://cdn.jsdelivr.net/npm/chartjs-adapter-moment |
| Used by | Charts with time-based X axes (e.g., activity timelines) |
| Why dynamic | Loaded alongside Chart.js when time-series data is displayed |
Image Handling
Cropper.js
| Attribute | Value |
|---|---|
| Library | Cropper.js |
| Version | 1.5.7 |
| CDN | https://cdnjs.cloudflare.com/ajax/libs/cropperjs/1.5.7/cropper.min.js |
| Used by | My Profile (avatar upload), Dynamic SharePoint field inputs |
| Why dynamic | Loaded only when the user opens an image crop dialog |
Browser Image Compression
| Attribute | Value |
|---|---|
| Library | browser-image-compression |
| Version | 2.0.2 |
| CDN | https://cdn.jsdelivr.net/npm/browser-image-compression@2.0.2/dist/browser-image-compression.js |
| Used by | Any upload flow where images are resized before being sent to SharePoint |
| Why dynamic | Loaded only during image upload operations |
Fabric.js
| Attribute | Value |
|---|---|
| Library | Fabric.js |
| Version | 7.2.0 |
| CDN | https://cdn.jsdelivr.net/npm/fabric@7.2.0/dist/index.min.js |
| Used by | Flexdesk — interactive floor plan and space management |
| Why dynamic | Loaded only when the Flexdesk/space management feature is activated |
Adaptive Cards
Microsoft Adaptive Cards
| Attribute | Value |
|---|---|
| Library | adaptivecards + adaptivecards-templating |
| Version | Latest / 1.4.0 |
| CDN |
https://cdn.jsdelivr.net/npm/adaptivecards@latest/ and https://cdn.jsdelivr.net/npm/adaptivecards-templating@1.4.0/
|
| Used by | Adaptive Cards widget — renders Microsoft Adaptive Card JSON payloads |
| Why dynamic | Loaded only when an Adaptive Card widget is present on the page |
Maps & Geolocation
Google Maps JavaScript API
| Attribute | Value |
|---|---|
| Library | Google Maps JS API |
| Version | Latest (runtime) |
| CDN | https://maps.googleapis.com/maps/api/js |
| Used by | Maps Embedded widget (Google Maps provider) |
| Why dynamic | Requires a Google API Key configured by the administrator; loaded on demand |
Prerequisites: A valid Google Maps API key must be configured in the Powell Software widget settings. The key requires the Maps JavaScript API and Places API to be enabled in Google Cloud Console.
Leaflet
| Attribute | Value |
|---|---|
| Library | Leaflet |
| Version | 1.0.2 |
| CDN | https://cdnjs.cloudflare.com/ajax/libs/leaflet/1.0.2/leaflet.js |
| Used by | Maps Embedded widget (OpenStreetMap / non-Google provider) |
| Why dynamic | Loaded only when the Leaflet map provider is selected |
Media
YouTube IFrame API
| Attribute | Value |
|---|---|
| Library | YouTube IFrame API |
| Version | Current (Google-managed) |
| CDN | https://www.youtube.com/iframe_api |
| Used by | YouTube widget |
| Why dynamic | Injected by the YouTube widget when a YouTube video is embedded |
Code Editors
ACE Editor
| Attribute | Value |
|---|---|
| Library | ACE Editor |
| Version | 1.4.11 |
| CDN | https://cdnjs.cloudflare.com/ajax/libs/ace/1.4.11/ |
| Used by | AI Module (prompt scripting), REST API widget |
| Why dynamic | Loaded only when the user opens a code editing panel |
Loads the following ACE modes on demand: - mode-javascript.min.js — JavaScript syntax highlighting - mode-json.min.js — JSON syntax highlighting - mode-html.min.js — HTML syntax highlighting
Social
Facebook JavaScript SDK
| Attribute | Value |
|---|---|
| Library | Facebook SDK |
| Version | Current (Meta-managed) |
| CDN | https://connect.facebook.net/en_US/sdk.js |
| Used by | Facebook Share button/directive |
| Why dynamic | Loaded only when a Facebook Share element is rendered |
Utilities
modern-screenshot
| Attribute | Value |
|---|---|
| Library | modern-screenshot |
| Version | Latest |
| CDN | https://cdn.jsdelivr.net/npm/modern-screenshot/dist/index.js |
| Used by | Content Builder — captures screenshots of portal sections |
| Why dynamic | Loaded only when the screenshot/export feature is triggered |
PDFObject
| Attribute | Value |
|---|---|
| Library | PDFObject |
| Version | Latest |
| CDN | https://cdnjs.cloudflare.com/ajax/libs/pdfobject/ |
| Used by | Document widgets that render PDF files inline |
| Why dynamic | Loaded only when a PDF document widget is present on the page |
6. Troubleshooting — If a Resource is Blocked
Symptom
A Powell Software feature is not working (blank area, missing chart, editor not loading) and the browser console shows an error such as:
Refused to load the script 'https://cdn.jsdelivr.net/npm/chart.js@3.9.1/dist/chart.min.js' because it violates the following Content Security Policy directive: "script-src ..."
Diagnosis Steps
-
Open browser DevTools (F12) → Console tab → Look for
Refused to loaderrors. - Identify the blocked domain from the error message.
- Check if the domain is in the list in section 4 above.
Resolution
| Scenario | Action |
|---|---|
| Domain is in the list (section 4) but still blocked | Contact Powell Software Support to re-synchronize Trusted Script Sources |
| Domain is NOT in the list | Contact Powell Software Support — a product update may be needed |
| You added a custom third-party integration | Add the domain manually in the SharePoint Online admin center under Trusted Script Sources |
| Enforcement was recently activated | Verify with ?csp=enforce parameter, then contact support if the domain should already be authorized |
View All Current Trusted Script Sources (Admin)
Connect-SPOService -Url https://yourtenant-admin.sharepoint.com Get-SPOTenantCdnPolicies -CdnType Private
7. FAQ
Q: Do I need to manually add domains to SharePoint Trusted Script Sources for Powell Software? Generally no — Powell Software domains are handled automatically during provisioning. However, if a domain is missing after a product update or a sync issue, you can add it manually from the SharePoint Online admin center under Settings > Trusted Script Sources, or via the SharePoint Online Management Shell.
Q: What happens if I skip a Powell Software sync after an update? New external resources added in a product update may be blocked until synchronization is run. If you notice features breaking after an upgrade, contact Powell Software Support.
Q: Can I add my own custom domains to the authorized list? Yes. For custom integrations requiring additional external domains, add them manually from the SharePoint Online admin center under Settings > Trusted Script Sources, or via PowerShell. The 300-entry SharePoint limit applies to the combined total.
Q: Are these libraries loaded for every user on every page? No. All third-party libraries listed in section 5 are loaded on demand — only when the specific feature is present and active on the page being viewed.
For further assistance, contact Powell Software Support.