Applies to Product - Power Platform Administration
What’s happening?
During penetration testing, the following Content Security Policy (CSP) headers are recommended for Dynamics 365: Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self' However, there are concerns regarding the support for such configurations in Dynamics 365.
Reason:
Currently, Dynamics CRM version 9.0 does not support configuring the CSP header. CSP is only supported in the online environment and on-premises environments with version 9.1 or later. Although some directives can be configured in Dynamics 365 (on-premises) version 9.1, certain directives remain non-customizable.
Resolution:
- It is confirmed that for deployments using Dynamics 365 (on-premises) version 9.0, the CSP header cannot be configured.
- The Intranet environment protects against loading malicious resources, indicating that there is no significant risk for environments running on-premises with version 9.0.
- It is on the roadmap to modify currently non-customizable headers, but there is no estimated time of arrival (ETA) for this implementation.
