Getting Kendo to work with a Content Security Policy in MVC 5 is not easy and documentation is scarce.
I tried using the NWebSec CSP package from Nuget (5.1.1 https://docs.nwebsec.com/en/aspnet4/index.html) but could not get Kendo to work with the NWebSec <content-Security-Policy> section in Web.config. Even though the CSP looked fine in report-only mode and Kendo Widgets work, as soon as you turn on the CSP, the Widgets fail completely.
I remarked out the <content-Security-Policy> section of the <nwebsec> in Web.config and moved all of my CSP directives back into <httpProtocol> <customHeaders> and Kendo MVC (2018.1.322) now works.
By maintaining NWebSec as part of the project and adding @using NWebsec.Mvc.HttpHeaders.Csp into Views and applying the HTMLHelper into script tags I get an automatically generated nonce for any inline scripts <script @Html.CspScriptNonce() > so it is still valuable to keep NWebSec
script-src 'self' 'unsafe-inline' 'unsafe-eval' kendo.cdn.telerik.com
Hope this is useful for someone else