If the strict
Content-Security-Policy (CSP) mode is enabled, it disables the following browser features by default:
<script></script>, or DOM event attributes, such as
onclick, are blocked. All script code must reside in separate files that are served from a white-listed domain.
Dynamic code evaluation through
eval()and string arguments for both
Kendo UI for jQuery uses
eval() calls for its templates to work internally. Thus, Kendo UI for jQuery does not currently support the strict CSP mode.
If CSP is enabled for a Kendo UI application, you have to add at least the
unsafe-eval keyword as a part of the
meta tag that is used for enabling the CSP mode.
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval' 'self' https://kendo.cdn.telerik.com;">