I would like to add Content-Security-Policy headers for Exchange 2016 for /owa and /ecp.
Being well aware that a "too restrictive" Content-Security-Policy header can break both /owa and /ecp, is there a known working least permissive set for Exchange 2016 ?
I would just like to contribute to 'Matthew L' answer (and thank him also for pointing in right direction), cause it is pretty much the same for Exchange 2013 except you don't need https://.microsoft.com and https://.sharepointonline.com so the policy looks like this:
default-src 'self' data: 'unsafe-inline';img-src data: https:;script-src 'self' 'unsafe-inline' 'unsafe-eval'
The answer above may have worked in Exchange 2010 but wreaks havoc in OWA on 2016. OWA in Exchange 2016 likes to use resources loaded from microsoft.com and sharepoint.com (as well as the data: protocol). Also as it is above, the setting won't load any external images when browsing email in OWA.
The setting below has worked well for me in Exchange 2016.
default-src 'self' https://*.microsoft.com https://*.sharepointonline.com data: 'unsafe-inline'; script-src 'self' https://*.microsoft.com https://*.sharepointonline.com 'unsafe-inline' 'unsafe-eval'; img-src data: https:;
This works, at least, for OWA 2010.
Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'";
