If the strict
Content-Security-Policy (CSP) mode is enabled, it disables the following browser features by default:
<script></script>, or DOM event attributes, such as
onclick, are blocked. All script code must live in separate files that are served from a safe-listed domain.
- Dynamic code evaluation through
eval()and string arguments for both
The Kendo UI for jQuery R1 2023 release addresses the
unsafe-eval directive for all components except for the Spreadsheet. For the bigger part of its core engine, the Kendo UI for jQuery Spreadsheet uses the
Function evaluation and rewriting the logic of the component will lead to a great number of breaking changes.
The rest of the Kendo UI components and internal mechanisms have been rewritten to discard the usage of the
new Function() calls.
To avoid including the
unsafe-eval keyword in the
meta tag of your project pages, in this way preventing the components from being dependent on
unsafe-eval, you must rewrite all inline and external templates into CSP-compatible functional templates.
The Kendo UI for jQuery releases before R1 2023 one use
eval() calls for their templates to work internally. Thus, in these previous versions, Kendo UI for jQuery does not support the strict CSP mode.
If CSP is enabled for a Kendo UI application, you have to add the
unsafe-eval keyword as a part of the
meta tag that is used for enabling the CSP mode.
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval' 'self' https://kendo.cdn.telerik.com;">