New to Telerik UI for ASP.NET AJAX? Download free 30-day trial

Understanding CSP Support with Telerik UI for ASP.NET AJAX

Environment

Product Telerik UI for ASP.NET AJAX
Version Current

Description

When integrating Telerik UI for ASP.NET AJAX into web applications with a Content Security Policy (CSP), it's necessary to include 'unsafe-inline' and 'unsafe-eval' directives. This requirement stems from the Microsoft AJAX client-side library used by ASP.NET Web Forms, which relies on functions like setTimeout(), setInterval(), inline scripts, and eval().

Cause

The ASP.NET Web Forms framework and, by extension, Telerik UI for ASP.NET AJAX depend on the Microsoft AJAX client-side library. This library uses eval() and inline scripts extensively, making it incompatible with a strict CSP that excludes 'unsafe-inline' and 'unsafe-eval' directives.

Solution

As Microsoft's Content Security Vulnerability in ASP.NET(WebForms) blog post advices to ensure the proper functioning of your ASP.NET Web Forms application, you should include the following minimal CSP configuration:

<meta
    http-equiv="Content-Security-Policy"
    content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' ;"
     />

For applications using Telerik UI for ASP.NET AJAX with CDN over HTTPS, use this extended CSP configuration:

<meta
    http-equiv="Content-Security-Policy"
    content="script-src 'self' 'unsafe-inline' 'unsafe-eval' https://d2i2wahzwrm1n5.cloudfront.net ;
             style-src 'self' 'unsafe-inline' https://d35islomi5rx1v.cloudfront.net ;
             font-src 'self' https://d35islomi5rx1v.cloudfront.net 'data:';
             img-src 'self' https://d35islomi5rx1v.cloudfront.net 'data:'"
     />

Suggested Workarounds

For projects where strict CSP compliance is a priority, consider migrating to Telerik UI for ASP.NET MVC or Telerik UI for ASP.NET Core. These products have enhanced CSP support:

  • As of the R1 2023 release, 'unsafe-eval' is no longer required.
  • Starting with the R3 2023 release, 'unsafe-inline' in the "style-src" directive won't be necessary, except for specific components like the Editor, ResponsivePanel, GridLayout, and StackLayout.

Notes

Due to the reliance on the Microsoft AJAX framework, achieving full CSP compliance without 'unsafe-inline' and 'unsafe-eval' is challenging for ASP.NET Web Forms applications. Microsoft's focus has shifted towards ASP.NET MVC and Core, emphasizing the need for modernization and security compliance in web development.

See Also

In this article