Error in ALL our Plumsail Forms

Jamail_Serio · March 16, 2026, 1:07pm

All of our plumsail forms are currenly displaying this error

The required scripts were not loaded. Please check the browser console.

Can you help please with a possible fix?

Jamail_Serio · March 16, 2026, 1:09pm

sp-pages-assembly_en-us_d39203a69e37f6d511da6f5625baa63c.js:225 
Warning!Use of this tool exposes you to potential security threats which can result in others gaining access to your personal Office 365 data (documents, emails, conversations and more). Make sure you trust the person or organization that asked you to access this tool before proceeding.Learn more here: https://technet.microsoft.com/en-us/library/bb794823.aspx
sp-pages-assembly_en-us_d39203a69e37f6d511da6f5625baa63c.js:98 Session ID: 018f00a2-6021-e000-aa51-c4a9928a39c4
sp-pages-assembly_en-us_d39203a69e37f6d511da6f5625baa63c.js:98 Time in UTC:  Mon, 16 Mar 2026 13:08:36 GMT
chunk.9316_none_81727b88ac888bcd8540.js:1 Bootstrapper versionOverride :  ecsVersion : 1.20260301.5.0 preferredVersion : 1.20260120.1.0 cachedVersion : 1.20260301.5.0
chunk.9316_none_81727b88ac888bcd8540.js:1 Downloading bootstrapper version 1.20260301.5.0.
[Violation] Permissions policy violation: unload is not allowed in this document.
[Violation] Permissions policy violation: unload is not allowed in this document.
[Violation] Permissions policy violation: unload is not allowed in this document.
[Violation] Permissions policy violation: unload is not allowed in this document.
[Violation] Permissions policy violation: unload is not allowed in this document.
[Violation] Permissions policy violation: unload is not allowed in this document.
[Violation] Permissions policy violation: unload is not allowed in this document.
[Violation] Permissions policy violation: unload is not allowed in this document.
[Violation] Permissions policy violation: unload is not allowed in this document.
[Violation] Permissions policy violation: unload is not allowed in this document.
[Violation] Permissions policy violation: unload is not allowed in this document.
[Violation] Permissions policy violation: unload is not allowed in this document.
[Violation] Permissions policy violation: unload is not allowed in this document.
[Violation] Permissions policy violation: unload is not allowed in this document.
search-page-bootstrapper-standby.js:1 Setting webpack public path to: https://res.cdn.office.net/midgard/versionless/
chunk.9316_none_81727b88ac888bcd8540.js:1 Caching bootstrapper version 1.20260301.5.0.
ty-graph-pages-engine-application-customizer_8f42e8030c41797d2706.js:1 tyGraph Pages Engine - Tenant configuration retrieved from cache.
ty-graph-pages-engine-application-customizer_8f42e8030c41797d2706.js:1 tyGraph Pages Engine - init success.
ty-graph-pages-engine-application-customizer_8f42e8030c41797d2706.js:1 tyGraph Pages Engine version 20260205.1 - ApplicationCustomizer
ty-graph-pages-engine-application-customizer_8f42e8030c41797d2706.js:1 tyGraph Pages Engine - Tenant configuration retrieved from cache.
VM2266:5 A preload for 'https://forms.plumsail.com/webpart/1.0.6.0/form-web-part-bundle_80362b42a8610b6c345eb05b7b18fe20.js' is found, but is not used because the request credentials mode does not match. Consider taking a look at crossorigin attribute.
req.load @ VM2266:5
load @ VM2266:5
load @ VM2266:5
fetch @ VM2266:5
check @ VM2266:5
enable @ VM2266:5
enable @ VM2266:5
eval @ VM2266:5
eval @ VM2266:5
each @ VM2266:5
enable @ VM2266:5
init @ VM2266:5
eval @ VM2266:5
ty-graph-pages-report-panel-application-customizer_484327f04a082ce30708.js:27 tyGraph Pages Report Panel version 20260115.0
ty-graph-pages-report-panel-application-customizer_484327f04a082ce30708.js:27 tyGraph Pages webpart - Tenant configuration retrieved from cache.
ty-graph-pages-report-panel-application-customizer_484327f04a082ce30708.js:27 tyGraph Pages webpart - init success.
ty-graph-pages-engine-application-customizer_8f42e8030c41797d2706.js:1 tyGraph Pages Engine - obfuscate -  2
ty-graph-pages-engine-application-customizer_8f42e8030c41797d2706.js:1 tyGraph Pages Engine - retrieved up from cache.
ty-graph-pages-engine-application-customizer_8f42e8030c41797d2706.js:1 tyGraph Pages Engine - user info -  true
VM2266:5 Loading the script 'https://forms.plumsail.com/widget/1.0.7/spform.js' violates the following Content Security Policy directive: "script-src 'unsafe-eval' https://forms.plumsail.com/webpart/1.0.6.0/ https://config.tygraph.cdn.avepointonlineservices.com/pageswebpart/ https://config.tygraph.cdn.avepointonlineservices.com/pagesengine/ https://tygraphpagescdn.azureedge.net/logger/ https://tygraphpagescdn.azureedge.net/webparts/ https://forms.plumsail.com/webpart/1.1.0.5/ https://contentstorage.osi.office.net https://swx.cdn.skype.com https://res.delve.office.com https://lpcres.delve.office.com https://widget.uservoice.com https://by2.uservoice.com https://www.bing.com/api/maps https://www.bing.com/rms https://fabriciss.azureedge.net https://ajax.aspnetcdn.com https://js.monitor.azure.com https://r4.res.office365.com https://public-cdn.sharepointonline.com https://teams.microsoft.com *.cdn.office.net *.fluidpreview.office.net *.onecdn.static.microsoft https://webshell.suite.office.com https://amcdn.msftauth.net https://res-1.cdn.office.net *.bing.com c64.assets-yammer.com *.virtualearth.net *.ditu.live.com appsforoffice.microsoft.com platform.twitter.com https://login.microsoftonline.com https://publiccdn.sharepointonline.com https://public-cdn-staging.sharepointonline.com https://loki.delve.office.com https://res.cdn.office.net/midgard/ https://substrate.office.com https://res.public.onecdn.static.microsoft  https://c1-word-view-15.cdn.office.net 'self' alcdn.msauth.net https://res-2.cdn.office.net https://res-3.cdn.office.net https://shell.cdn.office.net https://res.cdn.office.net 'nonce-awv0r7hhufo' 'sha256-ATReICQsd+smV/PvrA4eH+DuxsenS4SxbGcSjySJlBA=' 'sha256-2vr5KMButMK7a+bOf/ned/cPnF2yNooMulXA8E65wGw=' 'sha256-Ie4uWHgjrKA4WjOrgfxpFEHOCYe/wqVItoHI+ySGTd4=' 'report-sample'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. The action has been blocked.
req.load @ VM2266:5
load @ VM2266:5
load @ VM2266:5
fetch @ VM2266:5
check @ VM2266:5
enable @ VM2266:5
enable @ VM2266:5
eval @ VM2266:5
eval @ VM2266:5
each @ VM2266:5
enable @ VM2266:5
init @ VM2266:5
eval @ VM2266:5
sp-pages-assembly_en-us_d39203a69e37f6d511da6f5625baa63c.js:303 Uncaught (in promise) undefined
prefetch_31194b02.js:1 invalid contentSourceFilter config
f @ prefetch_31194b02.js:1
ty-graph-pages-engine-application-customizer_8f42e8030c41797d2706.js:1 {applicationInsightsService.getPageListItemAsStream} - invalid data returned from renderListDataAsStream.  Using fallback method.
(anonymous) @ ty-graph-pages-engine-application-customizer_8f42e8030c41797d2706.js:1
ty-graph-pages-engine-application-customizer_8f42e8030c41797d2706.js:1 tyGraph Pages Engine - Page view tracked -  ApplicationCustomizer
ty-graph-pages-engine-application-customizer_8f42e8030c41797d2706.js:1 tyGraph Pages Engine - page read tracked - no scroll.

Margo · March 17, 2026, 4:27am

Hello @Jamail_Serio,

The error is caused by updates from Microsoft. Please see the instructions on how to resolve it:

sphilson · March 19, 2026, 1:55pm

I am having a similar issue, but the solution linked does not resolve it.

We have a our scripts stored in a series of .js files (this is a very involved implementation where I load multiple js files and references them) and they are all stored in our Sharepoint in our SiteAssets folder, our javascript tab on our forms looks like:

window.$ = $;
window.fd = fd;
window.sp = sp;
window.Dialog = Dialog;
window.Web = Web;  //Enable if you are going to do cross-subsite queries
var rs = Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15); //Cache Buster
$('<link/>', { rel: 'stylesheet', type: 'text/css', href: "/SiteAssets/KSCSS.css?r=" + rs }).appendTo('head');
$('<link/>', { rel: 'stylesheet', type: 'text/css', href: "https://code.jquery.com/ui/1.13.2/themes/Start/jquery-ui.css"}).appendTo('head');
$.getScript("/SiteAssets/kscommon.js?r=" + rs);
$.getScript("/SiteAssets/IT/Onboarding.js?r=" + rs);

fd.spRendered(function() {
    setTimeout(() => {
        let codeloaded = true;
        if (this.CommonVersion == undefined) {
            console.log('missing common form code');
            codeloaded = false;
        } else { console.log(`common code loaded ${this.CommonVersion}`); }
        if (this.kscommonVersion == undefined) {
            console.log('missing kscommon code');
            codeloaded = false;
        } else { console.log(`kscommon code loaded ${this.kscommonVersion}`); }
        if (!codeloaded) {
            alert('The code did not load correctly.  Click Okay to automatically refresh and try again');
            this.location.reload();
        } else { FormStartup(); }
    }, 800);
});

I have modified my Trusted Scripts to include code.jquery.com, .spform.com, our sharepoint url (at the root like .sharepoint.us (we are not on commerical cloud) and .plumsail.com

None of my script files in my SiteAssets are loading.

Margo · March 20, 2026, 5:01am

Hello @sphilson,

he new Content Security Policy (CSP) enforcement blocks inline scripts, so you would have to find an alternative. Here is some info from Microsoft’s blog.

Please use import syntax. In this case, make sure to add the script url to trusted script sources.

Here’s an example:

// This url needs to be added to trusted script sources
const JS_URL = 'https://cdn.jsdelivr.net/npm/@multiavatar/multiavatar@1.0.7/+esm';

let multiavatar = (await import(JS_URL)).default;
let svgCode = multiavatar('Binx Bond');
fd.control("HTML1").html = svgCode;