This is a migrated thread and some comments may be shown as answers.

Getting Kendo MVC to work with Content Security Policy

3 Answers 90 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
RickC
Top achievements
Rank 1
RickC asked on 30 Mar 2018, 07:07 PM

Getting Kendo to work with a Content Security Policy in MVC 5 is not easy and documentation is scarce.

I tried using the NWebSec CSP package from Nuget (5.1.1 https://docs.nwebsec.com/en/aspnet4/index.html) but could not get Kendo to work with the NWebSec <content-Security-Policy> section in Web.config. Even though the CSP looked fine in report-only mode and Kendo Widgets work, as soon as you turn on the CSP, the Widgets fail completely.

I remarked out the <content-Security-Policy> section of the <nwebsec> in Web.config and moved all of my CSP directives back into <httpProtocol> <customHeaders> and Kendo MVC (2018.1.322) now works.

By maintaining NWebSec as part of the project and adding @using NWebsec.Mvc.HttpHeaders.Csp into Views and applying the HTMLHelper into script tags I get an automatically generated nonce for any inline scripts <script @Html.CspScriptNonce() > so it is still valuable to keep NWebSec

script-src 'self' 'unsafe-inline' 'unsafe-eval' kendo.cdn.telerik.com

Hope this is useful for someone else

3 Answers, 1 is accepted

Sort by
0
Konstantin Dikov
Telerik team
answered on 03 Apr 2018, 07:31 AM
Hello Rick,

Thank you for sharing your findings and the solution with the community. We will definitely take the time to investigate this thoroughly and update our documentation accordingly for the UI for ASP.NET MVC suite.

As a token of gratitude, you will find your Telerik Points updated.

Once again, thank you for sharing.


Regards,
Konstantin Dikov
Progress Telerik
Try our brand new, jQuery-free Angular components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
0
Gerardo
Top achievements
Rank 1
Veteran
Iron
answered on 12 Jun 2020, 03:49 PM
hi Konstantin, do you have any updates about this?
0
Martin
Telerik team
answered on 16 Jun 2020, 03:50 PM

Hello Gerardo,

There is an article in our documentation on the matter. Although it is in the jQuery one, it also applies for MVC. I hope you will find it helpful.

Regards,
Martin
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
Tags
General Discussions
Asked by
RickC
Top achievements
Rank 1
Answers by
Konstantin Dikov
Telerik team
Gerardo
Top achievements
Rank 1
Veteran
Iron
Martin
Telerik team
Share this question
or