If you manage Exchange servers and your users are reporting strange errors in OWA (Content Security Policy, blocked buttons, calendar printing issues), don’t panic: you haven’t been hacked; Microsoft has just tightened the screws a little too much.
script-src-attr 'none'In this article, we’ll take a look at the CSP error, its connection to the CVE-2026-42897 vulnerability, and what to do about it.
The Symptom
In the browser’s developer console (F12) or via an error pop-up, users of Outlook Web App (OWA) or the EAC (Exchange Admin Center) see this message:
Executing inline event handler violates the following Content Security Policy directive 'script-src-attr 'none''. Either the 'unsafe-inline' keyword, a hash ('sha256-…'), or a nonce ('nonce-…') is required to enable inline execution.
Direct consequences for users:
- Cannot print calendars from OWA.
- Images embedded (inline) in certain emails fail to display.
- Certain browser extensions (ad blockers, translators) or Exchange add-ins cause 500 errors or complete crashes.
Why is this error appearing now? (The Cause)
To counter the active exploitation of the CVE-2026-42897 vulnerability (a critical XSS/spoofing flaw in OWA), Microsoft deployed an emergency mitigation measure in mid-May via the EEMS (Exchange Emergency Mitigation Service).
This automatic mitigation (identified by the code M2.1.x) injects a URL rewrite rule at the IIS level to enforce an ultra-restrictive Content Security Policy (CSP) header.
onclick="..."The offending script-src-attr 'none'directive simply blocks the execution of any script written directly in the HTML (such as the `script` attribute). The problem is that the Exchange code itself (and many extensions) still uses these practices. The browser therefore blocks legitimate actions.
How can this problem be resolved or worked around?
1. User Side: The Temporary Solution
Until Microsoft releases a proper Security Update (SU) that rewrites the OWA code, the only 100% viable solution for affected users is to use the Outlook Desktop client, which does not use the web rendering engine impacted by this CSP rule.
If the issue affects only a single user, ask them to test in incognito mode without extensions. Very often, it is a browser extension that injects code and triggers Exchange’s CSP policy.
2. Admin Side: Should Mitigation Be Disabled?
Technically, it is possible to disable this rule via the EEMS management script (MitigationServiceConfig.ps1) or by modifying the IIS configuration.
🚨 Our recommendation: Do not do this. The CVE-2026-42897 vulnerability is critical and is being actively exploited by malicious actors to steal session tokens. Disabling protection to restore calendar printing exposes the infrastructure to a major risk.
In summary
This is "normal" behavior (a Known Issue acknowledged by Microsoft) related to emergency protection. You’ll just have to be patient and wait for Microsoft to release a Cumulative Update (CU) or Security Update (SU) that properly handles the CSP without breaking the user experience.
Have you encountered this issue on your Exchange environments? Are specific add-ins crashing? Feel free to share your feedback in the comments!