SPFx and Content Security Policy produce errors on each script source if server relative URL used

[vlad-nvs]

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK, or API is this about?

💥 SharePoint Framework

Developer environment

Windows

What browser(s) / client(s) have you tested

• 💥 Internet Explorer
• 💥 Microsoft Edge
• 💥 Google Chrome
• 💥 FireFox
• 💥 Safari
• mobile (iOS/iPadOS)
• mobile (Android)
• not applicable
• other (enter in the "Additional environment details" area below)

Additional environment details

• SPFx version 1.18.2
• Node.js version 18.17.1

Describe the bug/error

Content Security Policy (CSP) has now been introduced for SharePoint Online.
A new tab is available in the SharePoint Admin Center under Advanced → Script sources.

It contains all script URLs from the SPFx solutions, and everything seems to work well. However, when a server relative URL is used (scripts are on the same Tenant), the browser console shows errors such as:

The source list for the Content Security Policy directive 'script-src' contains an invalid source: '/sites/..../.../..../'. It will be ignored.

For now, these are just console errors, and everything appears to be working correctly. However, if there are multiple SPFx solutions, it becomes difficult to identify real issues.

Furthermore, it identifies errors for Script sources that are hosted on different sites.

As far as I know, it is allowed to use relative URLs in SPFx, e.g., in cdnBasePath, and it is even possible to add such URLs to Script sources via the SharePoint Admin Center UI.

Can someone explain why these errors occur for relative URLs in script sources, and whether using relative URLs in SPFx solutions might have any impact in the future?

Steps to reproduce

1. Create SPFx solution
2. Use a relative URL for cdnBasePath
3. Upload SPFx to App Catalog and install on any site

Expected behavior

I think server relative URLs should work properly with the Content Security Policy feature since it's allowed to use them in a SPFx solution from the beginning (and everything works), and it should not produce errors for such script sources

[Ashlesha-MSFT]

Hello @vlad-nvs ,
Thank you for bringing this issue to our attention. We will look into it and get back to you shortly.

[Ashlesha-MSFT]

@vlad-nvs,
This behavior is expected and aligns with CSP standards — server-relative URLs (e.g., /sites/...) are not valid script sources under CSP. The official SPFx CSP documentation confirms that only absolute URLs or origins are supported. While SPFx allows relative paths in cdnBasePath, this is legacy behavior and not compatible with CSP.

This should be considered a feature request, not a bug.
You can raise it at the https://feedbackportal.microsoft.com/feedback/forum/06735c62-321c-ec11-b6e7-0022481f8472

[vlad-nvs]

Hi @Ashlesha-MSFT.
Thx for the details.

Will it block loading scripts from such relative URLs?
Because now it works with such URLs, and I can add such script source via UI in Admin Center.

And why does it show all invalid script sources, even those that are not related to the site where I try to load SPFx scripts?

For me, it looks more like a bug in a script in a browser that checks URLs and shows confusing errors from all invalid Script sources that should be available only for Admin use.