Content Security Policy
If the strict Content-Security-Policy (CSP) mode is enabled, it disables the following browser features by default:
- Inline JavaScript, such as
<script></script>, or DOM event attributes, such asonclick, are blocked. All script code must live in separate files that are served from a safe-listed domain. - Dynamic code evaluation through
eval()and string arguments for bothsetTimeoutandsetIntervalare blocked.
(For R1 2023 and Later) Working with Kendo UI for jQuery
The Kendo UI for jQuery R1 2023 release addresses the unsafe-eval directive for all components except for the Spreadsheet. For the bigger part of its core engine, the Kendo UI for jQuery Spreadsheet uses the Function evaluation and rewriting the logic of the component will lead to a great number of breaking changes.
The rest of the Kendo UI components and internal mechanisms have been rewritten to discard the usage of the eval() and new Function() calls.
To avoid including the unsafe-eval keyword in the meta tag of your project pages, in this way preventing the components from being dependent on unsafe-eval, you must rewrite all inline and external templates into CSP-compatible functional templates.
The engine for the inline and external templates will remain available. However, if you are using the previous template syntax, you must include the unsafe-eval directive in the meta tag.
(Before R1 2023) Working with Kendo UI for jQuery
The Kendo UI for jQuery releases before R1 2023 one use eval() calls for their templates to work internally. Thus, in these previous versions, Kendo UI for jQuery does not support the strict CSP mode.
If CSP is enabled for a Kendo UI application, you have to add the unsafe-eval keyword as a part of the meta tag that is used for enabling the CSP mode.
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval' 'self' https://kendo.cdn.telerik.com;">