Content Security Policy
If a strict
Content-Security-Policy (CSP) mode is enabled, some browser features are disabled, such as:
<script>tags or element attributes like
onclick, are blocked. All script code must reside in separate files, served from a whitelisted domain.
- Fonts and images from Base64
data:portions in stylesheets.
These limitations can affect the Kendo UI for Angular components, because they need the following:
font-srcto enable the loading of font icons.
- If you use our CDN, you must also allow it as a source for stylesheets.
<meta http-equiv="Content-Security-Policy" content=" style-src 'self' 'unsafe-inline' https://kendo.cdn.telerik.com; style-src-elem 'self' 'unsafe-inline' https://kendo.cdn.telerik.com; font-src 'self' data:; img-src 'self' data:" />
style-srcto enable Angular components to load encapsulated styles when:
- Using the Editor in encapsulated mode
A sample application is available on the Kendo UI for Angular public GitHub repo.
To enable CSP, your application needs to use Ahead of Time Compilation (AOT). The Just-in-Time (JIT) compiler is not suitable as it generates dynamic scripts at runtime.