Unable to implement CSP with Kendo UI for jquery

1 Answer 377 Views
Grid
Amit
Top achievements
Rank 1
Amit asked on 20 Feb 2023, 08:44 AM

Hi ,

I am testing trail version of v2023.1.117 Kendo UI for jquery.  I have upgraded jquery version to the latest . 

I am trying to implement CSP header in the web pages using meta tag.

 <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'sha256-lzhPGNqxpwmBda/ftMrdga7dSTDWPq2rpjz66R6TVFw=' http://localhost:9000/xxxx/js/lib; script-src 'self' 'sha256-lzhPGNqxpwmBda/ftMrdga7dSTDWPq2rpjz66R6TVFw=' http://localhost:9000/xxxx/js/lib;  style-src 'self' 'sha256-lzhPGNqxpwmBda/ftMrdga7dSTDWPq2rpjz66R6TVFw=' http://localhost:9000/xxxx/js/lib;">

I am getting an error , i can't use unsafe tag in the CSP.  Any thought what am i missing.

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-lzhPGNqxpwmBda/ftMrdga7dSTDWPq2rpjz66R6TVFw=' http://localhost:9000/recon/js/lib". Either the 'unsafe-inline' keyword, a hash ('sha256-g6wc7vdud1aSmTLcpHjWXR0Wfvqff5mhy00lnnvIu5c='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

Xt @ kendo.all.js:313050
t.attachTo @ kendo.all.js:313050
t.load @ kendo.all.js:313050
i.draw @ kendo.all.js:313050
draw @ kendo.all.js:313050
_redraw @ kendo.all.js:313050
(anonymous) @ kendo.all.js:313050
Re.loadFonts @ kendo.all.js:313050
Re.preloadFonts @ kendo.all.js:313050
init @ kendo.all.js:313050
_createChart @ kendo.all.js:313050
_initChart @ kendo.all.js:313050
_initDataSource @ kendo.all.js:313050
init @ kendo.all.js:313050
(anonymous) @ kendo.all.js:313050
each @ jquery-3.6.3.min.js:2
each @ jquery-3.6.3.min.js:2
t.fn.<computed> @ kendo.all.js:313050
e @ jquery-3.6.3.min.js:2
t @ jquery-3.6.3.min.js:2

 

Thanks in advance

1 Answer, 1 is accepted

Sort by
0
Nikolay
Telerik team
answered on 22 Feb 2023, 03:21 PM

Hello Amit,

This question has already been answered in a support thread, however, I will summarize the replies here so others facing the same scenario can benefit from it.

The following options must be included in the CSP header in order for the Kendo UI library to function properly:

<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval' >

If you're using the CSP-supported templates you can get rid of the unsafe-eval option from the header.

Regards,
Nikolay
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.

Tags
Grid
Asked by
Amit
Top achievements
Rank 1
Answers by
Nikolay
Telerik team
Share this question
or