I have an Editor on a page and there are several Content Security Policy violations in the console. Here is an example:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src-attr 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE='". Either the 'unsafe-inline' keyword, a hash ('sha256-5TmCSWsRHHKtNC4AgS23KS5Z9SBqma0xikI6H6iJ1/Y='), or a nonce ('nonce-...') is required to enable inline execution.
Is it possible to use an Editor without adding unsafe-inline to style-src-attr?
Thank you
1 Answer, 1 is accepted
Hello Tim,
To make the Editor CSP compatible, set its Nonce and UnsafeInline as explained in the following documentation section: https://docs.telerik.com/aspnet-core/html-helpers/editors/editor/overview#csp-compliance
For example:
@(Html.Kendo().Editor()
.Name("editor")
.Nonce("@nonce")
.UnsafeInline(false)
)
<style nonce="@@nonce">
.k-editor{
height: 400px;
}
</style>Regards,
Ivan Danchev
Progress Telerik
Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.
Rank 3
Iron
Iron
Iron
Hi Ivan,
I have tried the method above but it has no effect on the content security policy errors.
Shouldn't <style nonce="@@nonce"> have only one '@' character?
Is there a working example I can refer to?
Thanks for your help
Rank 3
Iron
Iron
Iron
I think I figured out the issue. Please ignore my previous comment.
Thanks
Rank 3
Iron
Iron
Iron
The code above did not work for me. I made this change:
.Nonce("@nonce") -> .Nonce(Model.nonce)
Thanks