Progress® Telerik® UI for ASP.NET AJAX Feedback Portal
Back to Feed
Request a Feature Report a Bug
Declined
Last Updated: 27 Jan 2026 14:34 by ADMIN
Bhrugesh
Created on: 20 Aug 2020 14:06
Category: UI for ASP.NET AJAX
Type: Feature Request
4
CSP support for nonce and SHA256 hash in Telerik ASP.NET AJAX

I would like to know if Telerik ASPNET Ajax  control supports securing CSP by adding nonce- or sha256- as mentioned in https://www.sitepoint.com/improving-web-security-with-the-content-security-policy (Refer section - Protecting Inline Styles and Scripts Using a Nonce).
4 comments
ADMIN
Rumen
Posted on: 27 Jan 2026 14:34

Hello,

Thank you for your feature request and patience.

After thorough evaluation, we must decline this request as implementing nonce or SHA256 hash CSP support for Telerik UI for ASP.NET AJAX is not technically feasible due to fundamental limitations in the Microsoft ASP.NET WebForms framework itself.

Why this cannot be implemented:

Microsoft has officially stated in their IIS Support Blog:

"There's no way for a webforms app to run with a CSP without allowing unsafe-inline on scripts... As webforms is considered complete, with no new features being added, this isn't going to change."

The core issue is that ASP.NET WebForms and Microsoft AJAX framework automatically generate script tags (via ScriptResource.axd, WebResource.axd, Sys.WebForms, etc.) that Telerik cannot control or modify. Even if we implemented nonce injection for Telerik controls, the framework-generated scripts would remain without nonce attributes and be blocked by the browser's CSP policy.

We understand this is not the answer you were hoping for, but we believe it is important to provide clarity on the technical constraints involved.

Regards,
Rumen
Progress Telerik

Stay tuned by visiting our public roadmap and feedback portal pages! Or perhaps, if you are new to our Telerik family, check out our getting started resources
ADMIN
Rumen
Posted on: 24 Aug 2020 09:24

Hi Rick,

For Kendo UI, ASP.NET MVC and Core, please refer to the following Kendo UI feedback portal on the matter https://feedback.telerik.com/kendo-jquery-ui/1359789-csp-support, check Carl's answer on 31 Oct 2019 11:09 and post your questions and comments for Kendo related product there.

Best Regards,
Rumen
Progress Telerik

Five days of Blazor, Angular, React, and Xamarin experts live-coding on twitch.tv/CodeItLive , special prizes and more, for FREE?! Register now for DevReach 2.0(20).

RickC
Posted on: 24 Aug 2020 03:11
The same problem exists with ASPNET Core components. I have been able to apply nonces to every other javascript file in my NET CORE 3.1 app except for Telerik components like a Kendo Grid. This means my entire application's security is compromised because Kendo does not have the capability of adding nonces dynamically. Telerik really needs to fix this in order to support Enterprise-level applications. CSP has been around for years and many people have been requesting this feature (perhaps not for Ajax but I have personally submitted Support requests for MVC and Core). Time to put security first!
ADMIN
Rumen
Posted on: 20 Aug 2020 14:25

Thank you for your feature request!

You are the first customer to request support for nonce and sha256 hash for CSP for Telerik ASP.NET AJAX controls.

The problem with them is that you cannot control the script tags which are imported by the ASP.NET Web Forms framework.

Even if we come up with a property or method that will allow you to call your own code that gives this nonce - we can't do anything for the scripts from the ASP.NET AJAX framework.

Best Regards,


Rumen
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Create an account Log In
View
Type
Status
Category