Request for improvements to new Content Security Policy (CSP) SPO Rollout

[andrewconnell]

Microsoft is rolling out Content Security Policy (CSP) to SPO. Today, it's in report-only mode. I wrote about it here: SharePoint Online's Support for Content Security Policy

Unfortunately, the feature "as-is" is lacking and not sufficient before Microsoft starts enforcing the CSP policy. I have the following requests... explained in detail in the above article: Areas For Improvement with SPO’s Support for CSP

(1) Rename Trusted Script Sources

Names matter - no one is looking for "Trusted Script Sources" when they need to configure the CSP policy in their tenant. Please rename this to the "CSP Policy" or "CSP Settings" or "Content Security Policy"

(2) Automatically Detect Remote External URLs

The process of deploying the SharePoint solution (*.sppkg) should automatically detect these scripts as well, located in the generated component manifest, just like it does when you don’t include the bundle in the package. These should be shown to the administrator and added to the list of allowed scripts.

I want to see a union of what's defined (if it is defined) in the write-manifest.json file AND the externals property in the config.json file:

(3) Act Like Permission Requests: Let Developers Set Their Own URLs

Developers should have an option, similar to how you can include permission requests in the SharePoint solution package with the webApiPermissionRequests. For instance, like this:

{
  "solution": {
    "name": "vtns-azure-cdn-client-side-solution",
    "id": "0183e69e-a4a3-4688-9a78-713c5da96a4c",
    "version": "1.0.0.0",
    "includeClientSideAssets": false,
    "skipFeatureDeployment": true,
    "isDomainIsolated": false,
    "cspUrlRequests": [
      "https://cdn2.voitanos.io",
      "https://cdn3.voitanos.io"
    ],
    // ..
  },
  "paths": {
    "zippedPackage": "solution/vtns-azure-cdn.sppkg"
  }

[johnnycardy]

Absolutely agree that the additional script sources (externals) should be picked up and added to the app package, automatically as part of the toolchain.

We can, for now, manually add additional script sources into the manifest files;

1. Run gulp bundle as normal.
2. Open the .manifest files under release\manifests\ and edit the internalModuleBaseUrls array to add your missing script sources.
3. Run gulp package-solution as normal.

Then it adds them:

This is still going to be massively annoying because all of our customers are going to need to either add a new trusted source to their admin center themselves, or upgrade the solution with the new version containing these sources.