If a strict
Content-Security-Policy (CSP) mode is enabled, some browser features are disabled, such as:
<script></script>or DOM event attributes like
onclick, are blocked. All script code must reside in separate files, served from a whitelisted domain.
- Dynamic code evaluation via
eval()and string arguments for both
- Fonts and images from Base64
data:portions in stylesheets.
These limitations can adversely affect the Telerik UI for Blazor components, because they need the following:
data:sources to be allowed for fonts, because that's how the font icons we use are loaded.
setTimeout()is used for animations and
eval()is used for the chart templates.
- If you use our CDN, you must also allow it as a source for scripts and stylesheets.
<meta http-equiv="Content-Security-Policy" content=" script-src 'self' 'unsafe-eval' https://kendo.cdn.telerik.com; style-src 'self' 'unsafe-inline' https://unpkg.com; font-src 'self' data:; img-src 'self' data:" />
If you do not use our CDN services, you can remove their domains. If you do not use the templates of the charts, you may also be able to remove