Skip to main content
BuyLog In
ASP.NET Core Controls
Search in…
Docs > Security Considerations > Content Security Policy
All docs
V23.2
ASP.NET Core Controls
Prerequisites and Installation
Supported Browsers
Demos and Sample Apps
DevExtreme-Based Controls
Reporting
Query Builder
Rich Text Editor
Spreadsheet
Security Considerations
Content Security Policy
Reduce CSV Injection Risks
Prevent Cross-Site Scripting Attacks
Troubleshooting
Web Dashboard
API Reference
Client API Reference
Download CHM

Content Security Policy

  • 4 minutes to read

Content Security Policy (CSP) is a built-in browser mechanism designed to prevent external security-related threats, including Cross-Site Scripting (XSS), clickjacking, and data injection attacks. CSP is supported in most modern browsers, including Chrome, Edge, Firefox, Opera, and Safari.

To enable CSP in an ASP.NET Core application, you need to apply CSP directives. The list of the minimum required directives depends on components used in your application. The following sections list DevExpress ASP.NET Core components and corresponding CSP directives.

DevExtreme-Based Components

To enable CSP for DevExtreme-Based components, specify the <meta> tag with the following directives and call the AddCspNonce method:

<head>
    <meta http-equiv="Content-Security-Policy"
        content="default-src 'self'; img-src https://* data:; child-src 'none';
        script-src 'self' 'nonce-allowed-value';"
    />
</head>

@Html.DevExtreme().AddCspNonce("allowed-value")
@(Html.DevExtreme().Button()
    .Text("Submit")
)

DataGrid and PivotGrid Export

ASP.NET Core DataGrid and PivotGrid components use the ExcelJS third-party library to export data to Excel. If you implement export functionality, include the following initialization code before ExcelJS sources:

<head>
    <!-- ... -->
    <meta http-equiv="Content-Security-Policy"
        content="default-src 'self';
        script-src 'self' 'nonce-allowed-value' cdnjs.cloudflare.com;"
    />
    <script nonce="allowed-value">
        window.regeneratorRuntime = null;
    </script>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/exceljs/3.3.1/exceljs.min.js"></script>
    <!-- reference the DevExtreme sources here -->
</head>

@Html.DevExtreme().AddCspNonce("allowed-value")

Map

Specify the following set of CSP directives to integrate DevExtreme-Based UI components with Google or Bing maps API:

<head>
    <meta http-equiv="Content-Security-Policy" 
        content="default-src 'self' https://*.googleapis.com/ https://*.gstatic.com;  
        script-src 'unsafe-inline' 'unsafe-eval' 'self' 'nonce-allowed-value' https://*.googleapis.com/ https://*.gstatic.com;  
        style-src 'unsafe-inline' 'self' https://*.googleapis.com/ https://*.gstatic.com;  
        img-src 'self' data: https://*.googleapis.com/ https://*.gstatic.com;" 
    />
</head>

@Html.DevExtreme().AddCspNonce("allowed-value")

Office-Inspired Components

Rich Text Editor

Specify the <meta> tag with the following directives and call the Nonce(String) method to enable CSP for the Rich Text Editor:

<head>
    <meta http-equiv="Content-Security-Policy"
        content="default-src 'self';
        script-src 'self' 'nonce-allowed-value';
        img-src data:"
    />
</head>

@(Html.DevExpress().RichEdit("richEdit")
    .Nonce("allowed-value")
    // ...
)

Note that inserting content in HTML format violates the style-src 'self' CSP directive. Add the 'unsafe-inline' keyword to the directive to allow users to paste HTML content into a document opened in the Rich Text Editor.

Spreadsheet

The following <meta> tag specifies the minimum required directives for the Spreadsheet control:

<head>
    <meta http-equiv="Content-Security-Policy" 
        content="default-src 'self';
        script-src 'self' 'unsafe-inline' 'unsafe-eval';
        style-src 'self' 'unsafe-inline';
        img-src 'self' data:"
    />
</head>

Reporting Controls

The following <meta> tag specifies the minimum required directives for DevExpress Reports:

<head>
    <meta http-equiv="Content-Security-Policy" 
        content="default-src 'self';
        img-src data: https: http:;
        script-src 'self' 'unsafe-inline';
        style-src 'self' 'unsafe-inline';
        connect-src 'self';
        worker-src 'self' blob:;
        frame-src 'self' blob:;" />
</head>

You can implement a nonce-based CSP and remove unsafe-inline from script-src and style-src directives. Read the following topic for more information: Content Security Policy for DevExpress Reports.

Dashboard Controls

The following <meta> tag specifies the minimum required directives for the DevExpress Web BI Dashboard:

<head>
    <meta http-equiv="Content-Security-Policy" 
        content="default-src 'self';
        img-src data: https: http:;
        script-src 'self' 'unsafe-inline';
        style-src 'self' 'unsafe-inline'; "/>
</head>

You can implement a nonce-based CSP to remove the unsafe-inline keyword for script-src and style-src directives. Review the following help topic for more information: Content Security Policy for BI Dashboard (ASP.NET Core).

Use Third-Party Libraries to Obtain Nonce

Most DevExpress ASP.NET Core components ship with methods that allow you to assign nonce values to them. DevExtreme-based components implement the AddCspNonce method, while other components (except Spreadsheet) implement the Nonce method.

You can use a third-party library to build a CSP configuration and generate nonce values. In this case, pass a generated nonce value to the AddCspNonce or Nonce method to implement a nonce-based CSP for your application. The example below uses Joonasw.AspNetCore.SecurityHeaders to generate unique nonce values for DevExtreme-based components:

@inject Joonasw.AspNetCore.SecurityHeaders.Csp.ICspNonceService NonceService

@Html.DevExtreme().AddCspNonce(NonceService.GetNonce())
@(Html.DevExtreme().Button()
    .Text("Submit")
)