Content Security Policy
- 3 minutes to read
Content Security Policy (CSP) is designed to mitigate security-related risks (including Cross-Site Scripting (XSS), clickjacking, and data injection attacks). CSP is supported by most modern browsers, including Chrome, Edge, Firefox, Opera, Safari, and mobile browsers.
Enable CSP Protection
Specify a Content-Security-Policy header or use the <meta> tag and explicitly define authorized functionality using CSP directives (such as allowed scripts/styles and external domains used to load resources). DevExpress ASP.NET MVC extensions require the following directives:
script-src 'unsafe-inline'- Allows extensions to initialize their JavaScript instances (using inline script blocks).
script-src 'unsafe-eval'- Allows extensions to evaluate scripts on callback requests.
img-src data:- Allows extensions to display data images.
style-src 'unsafe-inline'- Allows extensions to render inline styles (passed from the server to the client).
Apply these directives in the <head> section of the Layout.cshtml file:
<head>
<!--...-->
<meta http-equiv="Content-Security-Policy" content="default-src 'self';
script-src 'unsafe-inline' 'unsafe-eval' 'self';
style-src 'unsafe-inline' 'self';
img-src 'self' data:" />
<!--...-->
</head>
Why ‘unsafe-inline’ and ‘unsafe-eval’ Script Sources Are Required
DevExpress ASP.NET MVC extensions are built on the same core framework as our ASP.NET Web Forms controls. This ensures consistency in behavior, appearance, and APIs across both product libraries. It also means that DevExpress MVC extensions inherit WebForms platform-related limitations.
Microsoft ASP.NET Web Forms requires unsafe-inline and unsafe-eval script sources. Because of this requirement, we use inline scripts to initialize the client state of our controls and evaluate scripts on callback requests.
We escape all data passed to DevExpress inline scripts to maximize safety. We cannot guarantee the same for custom (non-DevExpress) scripts. If user input is included in inline scripts without proper escaping/validation, it can introduce security vulnerabilities. Always validate and encode user input to safeguard your application.
Why ‘unsafe-inline’ Style Source Is Required
DevExpress ASP.NET MVC extensions generate inline styles at runtime. For instance, our Grid View extension calculates column width and assigns corresponding CSS styles on the client. To mitigate security-related risks, the MVC Grid View validates these inline styles before applying them.
DevExpress inline styles are safe, but we cannot guarantee the same for custom (non-DevExpress) styles. If user input is included in inline styles without proper escaping/validation, these styles may expose user data. To safeguard your application, always validate inline CSS styles defined in application code.
What to Do if Security Scanners Report CSP-related Errors
Security scanners often check CSP compliance and report errors for unsupported directives. These errors do not indicate that the application is vulnerable. For a comprehensive assessment of application security, we recommend consulting with security specialists who can perform a thorough audit.
We do not plan to support all CSP policies for DevExpress ASP.NET MVC product libraries due to implementation scope/complexity. If CSP compliance is essential, consider migrating to one of the following:
- DevExpress Blazor UI Components
- DevExpress ASP.NET Core UI Components
- DevExtreme ASP.NET MVC 5 Controls
- DevExtreme UI Components (Angular, React, Vue, jQuery)
Refer to the following topic for additional information: Migrate ASP.NET MVC Applications to .NET.
Additional Requirements
You need to specify additional directives if your MVC application includes DevExpress BI Dashboard or Report components. Refer to the following topics for additional information/guidance: