Disable Content Security Policy (CSP) in Projects

Description

Content Security Policy (CSP) is a security feature designed to prevent specific types of attacks, such as Cross-Site Scripting (XSS) and data injection. Content Security Policy (CSP) provides an additional layer of security by restricting the sources from which content can be loaded.

All Telerik UI for ASP.NET MVC components are CSP-compatible. For more information on enabling CSP in a Telerik UI for ASP.NET MVC application, refer to the Content Security Policy documentation.

Starting with the 2025 Q1 release, CSP is enabled by default in all projects created using the Telerik UI for ASP.NET MVC Visual Studio Extensions. However, handling CSP Templates in components, such as Grid, requires specific handling.

This article provides guidance on how to disable CSP compatibility when necessary in projects created through the Telerik UI for ASP.NET MVC Visual Studio Extensions.

Solution

To disable CSP in a Telerik UI for ASP.NET MVC application, follow these steps:

1. Open the _Layout.cshtml file and remove the <meta> tag for CSP:

   HTML

   <meta http-equiv="Content-Security-Policy" content="..." />

2. Remove the @Html.Kendo().DeferredScriptFile() line from the _Layout.cshtml file.

3. Open the Global.asax.cs file and remove the DeferToScriptFiles setting:

   C#

   KendoMvc.Setup(x =>
   {
       x.DeferToScriptFiles = true;
   });

4. Open the Web.config file and remove the following HttpModule:

   XML

   <configuration>
       ...existing code...
       <system.webServer>
           <modules>
               <add name="KendoDeferredScriptsModule" type="Kendo.Mvc.KendoDeferredScriptsModule" />
           </modules>
       </system.webServer>
       ...existing code...
   </configuration>

Once done, run the application and open the browser console with F12 to ensure that there are no client-side errors.

See Also

• Telerik UI for ASP.NET MVC Knowledge Base