Hi,
We are using Kendo controls for MVC. There was a security scan done in our application, it capture few of the security issues.
We are able to fix all of the security issues except one.
CWE 829 - The application contains unsafe Content-Security-Policy (CSP) directives that could allow malicious script code to be included on the page.
So, as a result we have removed all the custom inline javascript and css to an external files and refer those external .js and .css files in our .cshtml page.
But when we use any of the Kendo controls like Kendo grid or Kendo calendar then in the runtime it create some inline scripts and we are getting application contains unsafe Content-Security-Policy (CSP) directives.
How to bypass those runtime inline scripts created by Kendo controls so that we don't get unsafe Content-Security-Policy (CSP) directives
during the security scan of the application.
Please let me know if you need any more information on this.
1 Answer, 1 is accepted
Hi Abdul,
Thank you for reaching out.
The Telerik UI for MVC and the Kendo UI for jQuery support CSP compatibility:
https://www.telerik.com/aspnet-mvc/documentation/html-helpers/helper-basics/content-security-policy
To activate it, you can enable the <meta> tag provided in the article above and some changes in Global.asax and web.config files:
https://www.telerik.com/aspnet-mvc/documentation/html-helpers/helper-basics/deferred-initialization#deferring-components-globally
The only error you will see in the console is coming from the Trial message:
Which will go off when you are using the licensed assembly.
Please download and run the sample and let me know if you find this information helpful.
Regards,
Eyup
Progress Telerik
Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.