Watermarker fails to load because Microsoft now enforces Content Security Policy (CSP)

Starting 1 March 2026, Microsoft began enforcing Content Security Policy (CSP) in SharePoint Online. Because of this change, browsers now block scripts that aren’t in trusted script sources.

Before this date, SharePoint only logged CSP violations and still loaded scripts. Microsoft now enables scripts only from trusted paths. SharePoint currently trusts /Scripts/Extensions/, but the Watermarker script loads from /Scripts/, which is outside that scope.

What you’ll see

Your SharePoint page doesn’t load. You’ll see a message Working on it... in the upper-right corner of the page.

When you open the browser console (F12), SharePoint shows a CSP violation error for the Watermarker script, indicating that it’s blocked because it’s not in a trusted script source. The error message looks like what’s shown in the following image.

Resolution

To fix the issue, ask your SharePoint Administrator or Global Administrator to complete the following steps:

1. Go to SharePoint Admin Center > Advanced > Script sources.
2. Check the entry for the Muhimbi domain. It’s usually scoped to a subdirectory (for example, https://muhimbi-pcso.azurewebsites.net/Scripts/Extensions/) or missing.
3. Add another trusted source for the full domain: https://muhimbi-pcso.azurewebsites.net.

After the update above, two Muhimbi entries appear: one for the full domain and one for the subdirectory.

Changes to trusted script sources usually take effect within 15–60 minutes.

For more information about this Microsoft change, refer to the Content Security Policy in SharePoint Online(opens in a new tab) guide.