CSP policy intermittently missing trusted sources, breaking SPFx web parts rendering

[jbolliet-jint]

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Developer environment

Windows

What browser(s) / client(s) have you tested

• 💥 Internet Explorer
• 💥 Microsoft Edge
• 💥 Google Chrome
• 💥 FireFox
• 💥 Safari
• mobile (iOS/iPadOS)
• mobile (Android)
• not applicable
• other (enter in the "Additional environment details" area below)

Additional environment details

• All SPFx solutions are hosted on a custom CDN
• Each new deployment adds a new trusted source (due to our asset versioning strategy), resulting in a large number of trusted sources
• This setup worked without any issues prior to the CSP rollout
• Using wildcards in trusted sources is not a viable workaround (see issue: SharePoint Ignores Wildcard CSP Rules, Auto-Creates Script Sources and Blocks SPFx Deployments #10512)

Describe the bug / error

We are experiencing intermittent rendering issues with SPFx web parts across multiple tenants.

For the past 1–2 months, several dozen customers (out of several hundred) have reported that SPFx web parts sometimes fail to load. Instead of rendering correctly, the web part displays a generic error message:

[object Object]

This issue occurs randomly — sometimes once a day, sometimes multiple times — and significantly impacts user experience.

A simple page refresh always resolves the issue, and the web parts then load correctly.

After investigation, we were finally able to reproduce the issue and identify a likely root cause related to CSP (Content Security Policy) enforcement introduced early March.

When the issue occurs:

• Some SPFx assets fail to load due to CSP restrictions (blocked:csp in the network tab)
• The browser devtools console shows that the CSP trusted sources list is incomplete — specifically, the most recently added entries (in our case, the last 12 sources) are missing compared to what is configured in the SharePoint Admin Center
• As a result, web parts depending on those missing sources do not initialize and display the [object Object] error instead of a proper message

Scope of the issue:

The issue does not appear to be related to page complexity:

• It occurs on pages with many SPFx components (multiple web parts and Application Customizers)
• It also occurs on pages with a single web part

Screenshots:

We will attach screenshots showing:

Network tab (CSP blocking)

Multiple SPFx asset requests are blocked due to CSP (blocked:csp):

---

Console output (CSP violations)

The console clearly shows CSP violations and an incomplete list of trusted sources:

For readability, the screenshot is cropped to show only the last 5 entries from the configured trusted sources (the full list contains ~150 entries) and the last ones are Microsoft sources.

The last entries shown have the following patterns in their paths:

• .../2026.3.25.66415/
• .../2026.3.25.66413/
• .../2026.3.25.66410/
• .../2026.3.25.66409/
• .../2026.3.24.66361/

---

SharePoint Admin Center configuration

All these sources are correctly configured as trusted sources:

However, these same sources are missing from the CSP list reported in the devtools console error.
Only a subset (the older entries) appears to be included, while the most recent sources are not applied.

Conclusion:

The CSP configuration appears to be inconsistently applied: some trusted sources (especially the most recently added ones) are missing on initial load, but are correctly applied after a page refresh.

Steps to reproduce

1. Open a SharePoint page containing SPFx components (web parts and/or Application Customizers)

2. Ensure the environment uses:

   • Custom CDN for SPFx assets
   • A large list of trusted sources configured in the SharePoint Admin Center (I don't know if it's important or not)

3. Load the page multiple times (the issue is intermittent and may require several attempts)

Observed behavior when the issue occurs:

• Some SPFx assets fail to load (blocked:csp)
• Browser console shows CSP violations indicating missing trusted sources
• The list of allowed sources in the CSP header is incomplete (missing several URLs compared to the configured trusted sources — in our case, the 12 most recent entries)
• Web parts relying on those missing sources fail to render and display [object Object]

4. Refresh the page

After refresh:

• All CSP sources are correctly applied
• No more blocked requests
• Web parts render normally

Expected behavior

• The CSP policy applied to the page should consistently include the full list of trusted sources configured in the SharePoint Admin Center
• SPFx assets hosted on trusted CDNs should never be intermittently blocked by CSP
• Web parts should render correctly

[Ashlesha-MSFT]

Hello @jbolliet-jint,
Thank you for bringing this issue to our attention. We will look into it and get back to you shortly.
If you don’t receive a reply within two working days, please use this escalation form to escalate.

[Ashlesha-MSFT]

Hi @jbolliet-jint,

Given that this issue is intermittent and tied to server-side CSP header generation
(not something reproducible purely in client code), I'd strongly recommend raising
an official Microsoft Support ticket alongside this GitHub issue.

How to raise the ticket:

1. Go to: https://admin.microsoft.com → Support → New service request
2. Category: SharePoint Online
3. Title: CSP trusted sources intermittently truncated on page load — web parts blocked
4. Include in the ticket:
   • Your tenant ID (from AAD / Entra admin center)
   • Timestamps + page URLs where the issue occurred
   • Screenshot of the incomplete CSP header from DevTools → Network → Response Headers
   • Screenshot of the full trusted sources list from SP Admin Center
   • Network tab screenshot showing blocked:csp requests
   • Confirmation that a page refresh always resolves it