After Implmenting the Content Security Policy (CSP) in our application, various Kendo controls have stopped working. The CSP, blocks execution of inline scripts and since the Kendo controls are creating scripts while they render, CSP finds it as a threat and hence blocks its execution.
Below is a snapshot of the browser console error. All of the 5 errors are being thrown by kendo Controls.
When the Kendo Control, such as a grid, is rendered, a script tag is generated. Please check the below screenshot for reference.
Here, we have a grid, divIFAResults, when it is rendered on the screen, a script tag with Kendo.syncReady() is generated. The Kendo Grid relies on this script for its smooth execution, but our CSP blocks this script, inturn making the control unusable.
We have added 'unsafe-eval' as per the telerik docs for CSP. We are using the Kendo files hosted in our own project, not from CDN.
1 Answer, 1 is accepted
Hello, Shobhit,
Thank you for the provided screenshots.
The `unsafe-inline` directive is still a requirement for the Kendo components to work. We haven't finished with the CSP improvements yet.
At this time, if you're using R1 2023 or a newer release, you can remove the `unsafe-eval` from the meta tag, however you must keep `unsafe-inline`. We'll have another announcement once we are fully CSP compliant.
Best Regards,
Georgi Denchev
Progress Telerik