Kendo UI is breaking when using strict content-security-policy

1 Answer 37 Views
Grid Security
raju
Top achievements
Rank 1
raju asked on 17 Dec 2021, 06:36 PM | edited on 18 Dec 2021, 05:41 AM

Hello,

We are using the Content-Security-Policy in our ASP.NET MVC application and also using the Kendo UI controls.

Here are the details of the Content-Security-Policy:

 

<customHeaders>
  <add name="Content-Security-Policy" value="default-src https:;
object-src 'none';
script-src 'self' 'unsafe-eval' 'nonce-03148CFC65E74341814490514E0CEDD8';
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
img-src 'self' data:;
font-src 'self' https://fonts.gstatic.com;
connect-src 'self' https://api.zoomcharts-cloud.com;
form-action 'self';"></add>
</customHeaders>

The application is running as expected until we remove the "unsafe-eval" from the "script-src" and the web page is throwing the below error:

 

Note:

 

Please help us out.

Thanks & Regards

Raju Chauhan

1 Answer, 1 is accepted

Sort by
0
Anton Mironov
Telerik team
answered on 22 Dec 2021, 01:56 PM

Hi Raju,

Thank you for the code snippet, image, links, and details provided.

As in the first link and the following as well(in the last part) is pointed, the "unsafe-eval" is needed for the Content Security Policy.

I hope this information helps.

Kind Regards,
Anton Mironov
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Tags
Grid Security
Asked by
raju
Top achievements
Rank 1
Answers by
Anton Mironov
Telerik team
Share this question
or