Content Security Policy
If the strict Content-Security-Policy (CSP) mode is enabled, it disables the following browser features by default:
- Inline JavaScript, such as
<script></script>, or DOM event attributes, such asonclick, are blocked. All script code must live in separate files that are served from a safe-listed domain. - Dynamic code evaluation through
eval()and string arguments for bothsetTimeoutandsetIntervalare blocked.
Kendo UI for jQuery Version 2024 Q4 and Later
Starting with the 2024.4.1112 (2024 Q4) release, all Kendo UI for jQuery components are CSP compliant.
Kendo UI for jQuery Versions between R1 2023 and 2024 Q4
The Kendo UI for jQuery R1 2023 release addresses the unsafe-eval directive for all components except for the Spreadsheet. The rest of the Kendo UI components and internal mechanisms have been rewritten to discard the usage of the eval() and new Function() calls.
To avoid including the unsafe-eval keyword in the meta tag of your project pages, in this way preventing the components from being dependent on unsafe-eval, you must rewrite all inline and external templates into CSP-compatible functional templates.
The engine for the inline and external templates will remain available. However, if you are using the previous template syntax, you must include the unsafe-eval directive in the meta tag.
Kendo UI for jQuery Versions before R1 2023
The Kendo UI for jQuery releases before R1 2023 one use eval() calls for their templates to work internally. Thus, in these previous versions, Kendo UI for jQuery does not support the strict CSP mode.
If CSP is enabled for a Kendo UI application, you have to add the unsafe-eval keyword as a part of the meta tag that is used for enabling the CSP mode.
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval' 'self' https://kendo.cdn.telerik.com;">