Content Security Policy stopping the execution of Kendo Controls (.net MVC, Razor, Jquery)

1 Answer 96 Views
Accessibility DropDownList Grid
Shobhit
Top achievements
Rank 1
Shobhit asked on 22 Aug 2023, 01:22 PM

After Implmenting the Content Security Policy (CSP) in our application, various Kendo controls have stopped working. The CSP, blocks execution of inline scripts and since the Kendo controls are creating scripts while they render, CSP finds it as a threat and hence blocks its execution.

Below is a snapshot of the browser console error. All of the 5 errors are being thrown by kendo Controls.

When the Kendo Control, such as a grid, is rendered, a script tag is generated. Please check the below screenshot for reference.

Here, we have a grid, divIFAResults, when it is rendered on the screen, a script tag with Kendo.syncReady() is generated. The Kendo Grid relies on this script for its smooth execution, but our CSP blocks this script, inturn making the control unusable.

We have added 'unsafe-eval' as per the telerik docs for CSP. We are using the Kendo files hosted in our own project, not from CDN.

1 Answer, 1 is accepted

Sort by
0
Georgi Denchev
Telerik team
answered on 25 Aug 2023, 09:38 AM

Hello, Shobhit,

Thank you for the provided screenshots.

The `unsafe-inline` directive is still a requirement for the Kendo components to work. We haven't finished with the CSP improvements yet.

At this time, if you're using R1 2023 or a newer release, you can remove the `unsafe-eval` from the meta tag, however you must keep `unsafe-inline`. We'll have another announcement once we are fully CSP compliant.

Best Regards,
Georgi Denchev
Progress Telerik

Stay tuned by visiting our public roadmap and feedback portal pages! Or perhaps, if you are new to our Kendo family, check out our getting started resources
Tags
Accessibility DropDownList Grid
Asked by
Shobhit
Top achievements
Rank 1
Answers by
Georgi Denchev
Telerik team
Share this question
or