Skip to main content
BuyLog In
ASP.NET Web Forms Controls
Search in…
Docs > Security Considerations > Content Security Policy
All docs
V25.1
    • ASP.NET Web Forms Controls
    .NET Support and Migration
    Prerequisites
    Supported Browsers
    What's Installed
    Get Started
    Upgrade to a New Version
    Common Concepts
    Components
    Security Considerations
    Authorization Logic
    HTML Encoding
    Content Security Policy
    Callback State Encryption
    View State Encryption
    Validate User Input
    Secure File Upload
    Prevent Unauthorized Operations
    Prevent CSRF Attacks
    Prevent Against CSV Injection Attacks
    Prevent Exposure of Sensitive Information
    Redistribution and Deployment
    Troubleshooting
    Get More Help
    .NET Framework API Reference
    Client API Reference
    Download CHM

    Content Security Policy

    • 3 minutes to read

    Content Security Policy (CSP) is designed to mitigate security-related risks (including Cross-Site Scripting (XSS), clickjacking, and data injection attacks). CSP is supported by most modern browsers, including Chrome, Edge, Firefox, Opera, Safari, and mobile browsers.

    Enable CSP Protection

    Specify a Content-Security-Policy header or use the <meta> tag and explicitly define authorized functionality using CSP directives (such as allowed scripts/styles and external domains used to load resources). DevExpress ASP.NET Web Forms controls require the following directives:

    script-src 'unsafe-inline'
    Allows controls to initialize their JavaScript instances (using inline script blocks).
    script-src 'unsafe-eval'
    Allows controls to evaluate scripts on callback requests.
    img-src data:
    Allows controls to display data images.
    style-src 'unsafe-inline'
    Allows controls to render inline styles (passed from the server to the client).

    Apply these directives in the <head> section of the Default.aspx file:

    <head>
    <!--...-->
    <meta http-equiv="Content-Security-Policy" content="default-src 'self';
      script-src 'unsafe-inline' 'unsafe-eval' 'self';
      style-src 'unsafe-inline' 'self';
      img-src 'self' data:" />
    <!--...-->
</head>

    Why ‘unsafe-inline’ and ‘unsafe-eval’ Script Sources Are Required

    Inline script blocks are common to all ASP.NET Web Forms controls (including standard Microsoft UI controls, a part of the ASP.NET Web Forms framework itself). For instance:

    Microsoft ASP.NET Web Forms relies on legacy JavaScript libraries (older versions of jQuery, Microsoft Ajax, and client-side validation libraries). These libraries call eval or Function methods to parse serialized objects and run dynamically loaded scripts.

    It is simply impossible to apply nonce values to each inline script and completely remove eval-like behavior from a Web Forms application (please remember that ASP.NET Web Forms is a legacy Microsoft framework in maintenance mode). As an alternative, Microsoft suggests using unsafe-inline and unsafe-eval script sources in Web Forms applications. For additional information in this regard, please refer to the following IIS Support Blog Post.

    Why ‘unsafe-inline’ Style Source Is Required

    DevExpress ASP.NET Web Forms controls generate inline styles at runtime. For instance, our Grid View control calculates column width and assigns corresponding CSS styles on the client. To mitigate security-related risks, the Web Forms Grid View validates these inline styles before applying them.

    DevExpress inline styles are safe, but we cannot guarantee the same for custom (non-DevExpress) styles. If user input is included in inline styles without proper escaping/validation, these styles may expose user data. To safeguard your application, always validate inline CSS styles defined in application code.

    Security scanners often check CSP compliance and report errors for unsupported directives. These errors do not indicate that the application is vulnerable. For a comprehensive assessment of application security, we recommend consulting with security specialists who can perform a thorough audit.

    Due to platform limitations, we do not plan to support all CSP policies for DevExpress ASP.NET Web Forms products. If CSP compliance is essential, consider migrating to one of the following:

    Refer to the following topic for additional information: Migrate Web Forms Applications to .NET.

    Additional Requirements

    You need to specify additional directives if your Web Forms application includes DevExpress BI Dashboard or Report components. Refer to the following topics for additional information/guidance: