Introduction
System Requirements
UI for Blazor in Hybrid Apps Specifics
Knowledge Base
API Reference
Troubleshooting / Content Security Policy
New to Telerik UI for BlazorStart a free 30-day trial

Content Security Policy

Updated over 6 months ago

This article describes how Telerik UI for Blazor conforms to Content-Security-Policy (CSP) and what policy configuration it may need.

Introduction

In general, a strict CSP can disable web app features, such as:

  • Scripts, styles, and images from untrusted domains.
  • Inline JavaScript in <script> tags and legacy DOM attributes such as onclick. Blazor @onclick directives work as expected.
  • Inline CSS in <style> tags and style attributes.
  • Fonts and images that are embedded in stylesheets with data: URIs.
  • Dynamic JavaScript code evaluation with eval().

Policy Configuration

Telerik UI for Blazor components need the following exceptions to strict CSP. Some of them depend on the product version or product usage.

  • Allow inline styles ('unsafe-inline') to use component parameters such as Width, Height, RowHeight, ItemHeight, Top, Left, etc. In addition, some components rely on inline styles for their rich functionality and UX.
  • Allow data URIs (data:) for images that are embedded in the CSS themes. These images are used for styled checkboxes and radio buttons, Slider ticks, and others.
  • (optional) Allow https://blazor.cdn.telerik.com as a source when using the Telerik CDN for styles or scripts.
  • (optional) Allow https://unpkg.com as a source when using it as a CDN for styles.

Legacy Settings

The following items concern older product versions:

  • (for versions 6.x) Allow script evaluation ('unsafe-eval'), which is required by the Spreadsheet for cell validation and formula compilation. If you don't use the Spreadsheet component in your Blazor app, you can build a CSP compliant telerik-blazor.js file without the Spreadsheet.
  • (up to version 4.6.0) Allow data: URIs for font-src to use font icons. Later versions use a separate file for the WebComponentsIcons icon font. This font file is referenced by the font icon stylesheet.
  • (up to version 4.4.0) Allow unsafe-eval to use Chart label templates and Map templates. These templates used to rely on eval(). Starting with version 4.5.0, the Chart and Map templates support a different template mechanism, which doesn't require unsafe-eval.

Examples

The CSP policy directives below ensure that the Telerik Blazor components work as expected.

CSP for Telerik UI for Blazor 11.3.0 with SVG icon support and without CDN

HTML
<meta http-equiv="Content-Security-Policy" content="
      script-src 'self';
      style-src 'self' 'unsafe-inline';
      img-src 'self' data:;
" />

CSP for Telerik UI for Blazor 11.3.0 with CDN and font icon support

HTML
<meta http-equiv="Content-Security-Policy" content="
      script-src 'self' https://blazor.cdn.telerik.com https://unpkg.com;
      style-src 'self' 'unsafe-inline' https://blazor.cdn.telerik.com https://unpkg.com;
      img-src 'self' data:;
      font-src 'self' https://blazor.cdn.telerik.com https://unpkg.com;
" />
In this article
IntroductionPolicy ConfigurationLegacy SettingsExamples
Not finding the help you need?
Contact Support