Skip to content

Commit 2d7aa7b

Browse files
jansenbejansenbe
committed
clarified CDN configuration
1 parent cb39d9b commit 2d7aa7b

File tree

1 file changed

+6
-6
lines changed

1 file changed

+6
-6
lines changed

docs/spfx/content-securty-policy-trusted-script-sources.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
title: Support for Content Security Policy (CSP) in SharePoint Online
33
description: Learn how SharePoint Online implements Content Security Policy to protect against various attack vectors, and how you can ensure your SharePoint Framework components are valid.
4-
ms.date: 12/16/2025
4+
ms.date: 12/17/2025
55
author: andrewconnell-msft2
66
ms.author: bjansen
77
---
@@ -244,12 +244,12 @@ The enforcement of Content Security Policy (CSP) for SharePoint Online will star
244244
245245
## Frequently Asked Questions
246246
247-
### I need to load the script https://code.jquery.com/jquery-3.6.0.min.js, in what ways can I define this as trusted source?
247+
### I need to load the script `https://cdn.jsdelivr.net/npm/jquery@3.6.4/dist/jquery.min.js`, in what ways can I define this as trusted source?
248248
249-
- The most secure way is qualifying the exact script you want load as then only the specific version of the script can be loaded: `https://code.jquery.com/jquery-3.6.0.min.js`
250-
- If you want to allow all scripts in a specific domain (code.jquery.com) then use `https://code.jquery.com`. Note that `https://code.jquery.com/*` is not working.
251-
- If you want to allow all script sources in specific domain + folder (root folder of code.jquery.com) then use `https://code.jquery.com/`. Note that `https://code.jquery.com/*` is not working.
252-
- If you want to allow all subdomains inside a domain use `*.jquery.com`, this will allow loading anything under `jquery.com`
249+
- The most secure way is qualifying the exact script you want load as then only the specific version of the script can be loaded: `https://cdn.jsdelivr.net/npm/jquery@3.6.4/dist/jquery.min.js`
250+
- If you want to allow all script in specific domain + folder (so all scripts that are hosted under https://cdn.jsdelivr.net/npm) then use `https://cdn.jsdelivr.net/npm/`. **Note the trailing slash!** Also note that `https://cdn.jsdelivr.net/npm/*` is not working.
251+
- If you want to allow all scripts in a specific domain (cdn.jsdelivr.net) then use `https://cdn.jsdelivr.net`, `https://cdn.jsdelivr.net/` or `cdn.jsdelivr.net`. Note that `https://cdn.jsdelivr.net/*` is not working.
252+
- If you want to allow all subdomains inside a domain use `*.jsdelivr.net`, this will allow loading anything under `jsdelivr.net`
253253
254254
### I'm hitting the 300 max sources limit, what should I do?
255255

0 commit comments

Comments
 (0)