Share via

"In my ASP.NET MVC 5 project, I am migrating to a strict Content Security Policy (CSP) to eliminate the use of 'unsafe-inline' for scripts. While I have successfully implemented the Nonce approach to secure my initial page loads, I still have two outstand

Priyanshi Vasoya 0 Reputation points
2025-12-05T09:42:41.7166667+00:00

"In my ASP.NET MVC 5 project, I am migrating to a strict Content Security Policy (CSP) to eliminate the use of 'unsafe-inline' for scripts. While I have successfully implemented the Nonce approach to secure my initial page loads, I still have two outstanding issues:

I need to migrate several existing inline JavaScript functions and handlers without losing their functionality.

I cannot apply the Nonce to scripts dynamically injected by Kendo UI's deferred script loading mechanism, resulting in CSP violations.

How can I securely refactor these inline functions and integrate a solution (like hashing or configuration) to satisfy the CSP for the Kendo deferred scripts?"

Developer technologies | ASP.NET | ASP.NET Core

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce (SqlWork.com) 81,971 Reputation points Volunteer Moderator
    2025-12-05T17:17:59.31+00:00

    yes, all inline scripts must be replaced with external scripts. Kendo ui has added support for CSP

    https://www.telerik.com/kendo-jquery-ui/documentation/intro/widget-basics/content-security-policy

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.