Remove unsafe Content-Security-Policy (CSP) directives for Kendo Controls

1 Answer 34 Views
Button Calendar DropDownList Grid Menu PanelBar TabStrip ToolTip
abdul
Top achievements
Rank 2
Iron
Iron
abdul asked on 14 May 2025, 05:32 PM

Hi,

We are using Kendo controls for MVC. There was a security scan done in our application, it capture few of the security issues.

We are able to fix all of the security issues except one.

CWE 829 - The application contains unsafe Content-Security-Policy (CSP) directives that could allow malicious script code to be included on the page.

So, as a result we have removed all the custom inline javascript and css to an external files and refer those external .js and .css files in our .cshtml page.

But when we use any of the Kendo controls like Kendo grid or Kendo calendar then in the runtime it create some inline scripts and we are getting application contains unsafe Content-Security-Policy (CSP) directives.

How to bypass those runtime inline scripts created by Kendo controls so that we don't get unsafe Content-Security-Policy (CSP) directives

during the security scan of the application.

Please let me know if you need any more information on this.

1 Answer, 1 is accepted

Sort by
0
Eyup
Telerik team
answered on 19 May 2025, 03:54 PM

Hi Abdul,

 

Thank you for reaching out.

The Telerik UI for MVC and the Kendo UI for jQuery support CSP compatibility:
https://www.telerik.com/aspnet-mvc/documentation/html-helpers/helper-basics/content-security-policy

To activate it, you can enable the <meta> tag provided in the article above and some changes in Global.asax and web.config files:
https://www.telerik.com/aspnet-mvc/documentation/html-helpers/helper-basics/deferred-initialization#deferring-components-globally

The only error you will see in the console is coming from the Trial message:

Which will go off when you are using the licensed assembly.

Please download and run the sample and let me know if you find this information helpful.

 

Regards,
Eyup
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.

abdul
Top achievements
Rank 2
Iron
Iron
commented on 09 Jun 2025, 05:42 PM

Hi Eyup,

Thanks for your response. We have tried and its working for simple Kendo controls. For example when we have few textbox,

kendo dropdowns and buttons its working properly.

We have another scenario, where we have Kendo Tab strip inside the kendo Tabstrip we have kendo dropdown

and kendo grids. In this scenario when we try to load tab strip it is loading properly but when we are trying to load kendo

dropdows or kendo grids it is not loading and returning undefined.

Can you please let us know how to load the child controls inside a parent.

This is how we load our kendo controls in  external JavaScript files and kendo controls are in .cshtml file and

referencing the external JavaScript file in .cshtml page.

var sampleDateDt= $("#sampleDate").data("kendoDatePicker");
var ddlStates= $("#states").data("kendoDropDownList");


 

Eyup
Telerik team
commented on 12 Jun 2025, 01:08 PM

I am glad the provided assistance has proven helpful.

As for the new question and more complex cases, you can check the specially designed component called Template:
https://demos.telerik.com/aspnet-core/template/integration-grid

It was introduced exactly for CSP scenarios.

If there are further questions on this matter, please feel free to open a new ticket so we can keep the threads organized and focused on specific questions.

Tags
Button Calendar DropDownList Grid Menu PanelBar TabStrip ToolTip
Asked by
abdul
Top achievements
Rank 2
Iron
Iron
Answers by
Eyup
Telerik team
Share this question
or