Hello,
We are using the Content-Security-Policy in our ASP.NET MVC application and also using the Kendo UI controls.
Here are the details of the Content-Security-Policy:
<customHeaders>
<add name="Content-Security-Policy" value="default-src https:;
object-src 'none';
script-src 'self' 'unsafe-eval' 'nonce-03148CFC65E74341814490514E0CEDD8';
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
img-src 'self' data:;
font-src 'self' https://fonts.gstatic.com;
connect-src 'self' https://api.zoomcharts-cloud.com;
form-action 'self';"></add>
</customHeaders>The application is running as expected until we remove the "unsafe-eval" from the "script-src" and the web page is throwing the below error:
Note:
- We have gone through instructions given in https://docs.telerik.com/aspnet-mvc/troubleshoot/troubleshooting-content-security-policy
- Here is the link of the sample application https://drive.google.com/file/d/1-wIb0dLE6UhUQc9gsjFYWTGBaPRjAcWG/view?usp=sharing
Please help us out.
Thanks & Regards
Raju Chauhan
1 Answer, 1 is accepted
Hi Raju,
Thank you for the code snippet, image, links, and details provided.
As in the first link and the following as well(in the last part) is pointed, the "unsafe-eval" is needed for the Content Security Policy.
I hope this information helps.
Kind Regards,
Anton Mironov
Progress Telerik
Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.