Understanding CSP Support with Telerik UI for ASP.NET AJAX
Environment
Product | Telerik UI for ASP.NET AJAX |
---|---|
Version | Current |
Description
When integrating Telerik UI for ASP.NET AJAX into web applications with a Content Security Policy (CSP), it's necessary to include 'unsafe-inline' and 'unsafe-eval' directives. This requirement stems from the Microsoft AJAX client-side library used by ASP.NET Web Forms, which relies on functions like setTimeout()
, setInterval()
, inline scripts, and eval()
.
Cause
The ASP.NET Web Forms framework and, by extension, Telerik UI for ASP.NET AJAX depend on the Microsoft AJAX client-side library. This library uses eval()
and inline scripts extensively, making it incompatible with a strict CSP that excludes 'unsafe-inline' and 'unsafe-eval' directives.
Solution
As Microsoft's Content Security Vulnerability in ASP.NET(WebForms) blog post advices to ensure the proper functioning of your ASP.NET Web Forms application, you should include the following minimal CSP configuration:
<meta
http-equiv="Content-Security-Policy"
content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' ;"
/>
For applications using Telerik UI for ASP.NET AJAX with CDN over HTTPS, use this extended CSP configuration:
<meta
http-equiv="Content-Security-Policy"
content="script-src 'self' 'unsafe-inline' 'unsafe-eval' https://d2i2wahzwrm1n5.cloudfront.net ;
style-src 'self' 'unsafe-inline' https://d35islomi5rx1v.cloudfront.net ;
font-src 'self' https://d35islomi5rx1v.cloudfront.net 'data:';
img-src 'self' https://d35islomi5rx1v.cloudfront.net 'data:'"
/>
Suggested Workarounds
For projects where strict CSP compliance is a priority, consider migrating to Telerik UI for ASP.NET MVC or Telerik UI for ASP.NET Core. These products have enhanced CSP support:
- As of the R1 2023 release, 'unsafe-eval' is no longer required.
- Starting with the R3 2023 release, 'unsafe-inline' in the "style-src" directive won't be necessary, except for specific components like the Editor, ResponsivePanel, GridLayout, and StackLayout.
Notes
Due to the reliance on the Microsoft AJAX framework, achieving full CSP compliance without 'unsafe-inline' and 'unsafe-eval' is challenging for ASP.NET Web Forms applications. Microsoft's focus has shifted towards ASP.NET MVC and Core, emphasizing the need for modernization and security compliance in web development.