3751855 - SAC excel add-in connection fails with content security policy violation when loading appsforoffice.microsoft.com script

Symptom

Connection from the excel add-in to the SAC tenant fails due to a Content Security Policy (CSP) violation.
Error example: "Loading the script https://appsforoffice.microsoft.com/lib/1/hosted/excel-web-16.00.is violates the following Content Security Policy directive: 'script-src ...'. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. The action has been blocked."

Environment

Product: SAP Analytics Cloud, add-in for Microsoft Office

Reproducing the Issue

Open Excel and start the SAC add-in.
Attempt to connect to the SAC tenant from the add-in.
Check the console (for example, browser or WebView developer tools) and observe the CSP violation stating that the script from appsforoffice.microsoft.com is blocked.

Cause

Content Security Policy (CSP) on the SAC tenant is enabled and does not include appsforoffice.microsoft.com in the trusted allow list, which blocks the add-in’s required script loading.

Resolution

In the SAC tenant, go to Administration > Security and locate the Content Security Policy settings.
If CSP is enabled, add appsforoffice.microsoft.com to the trusted domains/allowed sources (for example, allow it for script loading).
Save the configuration.
Retry connecting from the Excel add-in.
If required for validation, temporarily disable CSP to confirm the root cause. If the add-in then connects, re-enable CSP and ensure appsforoffice.microsoft.com is included in the allow list.

Keywords

sac add-in, excel add-in, content security policy, csp, script-src, appsforoffice.microsoft.com, connection fails, blocked script, office.js, excel web add-in, trusted domains, allow list, script blocked, console error, sac tenant configuration , KBA , LOD-ANA-OF-XLA , SAP Analytics Cloud, add-in for Microsoft Office , Problem

Product

SAP Analytics Cloud 1.0