Getting Kendo to work with a Content Security Policy in MVC 5 is not easy and documentation is scarce.
I tried using the NWebSec CSP package from Nuget (5.1.1 https://docs.nwebsec.com/en/aspnet4/index.html) but could not get Kendo to work with the NWebSec <content-Security-Policy> section in Web.config. Even though the CSP looked fine in report-only mode and Kendo Widgets work, as soon as you turn on the CSP, the Widgets fail completely.
I remarked out the <content-Security-Policy> section of the <nwebsec> in Web.config and moved all of my CSP directives back into <httpProtocol> <customHeaders> and Kendo MVC (2018.1.322) now works.
By maintaining NWebSec as part of the project and adding @using NWebsec.Mvc.HttpHeaders.Csp into Views and applying the HTMLHelper into script tags I get an automatically generated nonce for any inline scripts <script @Html.CspScriptNonce() > so it is still valuable to keep NWebSec
script-src 'self' 'unsafe-inline' 'unsafe-eval' kendo.cdn.telerik.com
Hope this is useful for someone else
3 Answers, 1 is accepted
Thank you for sharing your findings and the solution with the community. We will definitely take the time to investigate this thoroughly and update our documentation accordingly for the UI for ASP.NET MVC suite.
As a token of gratitude, you will find your Telerik Points updated.
Once again, thank you for sharing.
Regards,
Konstantin Dikov
Progress Telerik
Rank 1
Iron
Veteran
Iron
Hello Gerardo,
There is an article in our documentation on the matter. Although it is in the jQuery one, it also applies for MVC. I hope you will find it helpful.
Regards,
Martin
Progress Telerik
Our thoughts here at Progress are with those affected by the outbreak.