Last Updated: 02 Jan 2019 17:31 by ADMIN
Created on: 13 Dec 2018 16:45
Category: ScriptManager
Type: Feature Request
Subresource Integrity (CDN)
Subresource Integrity is a fairly new security scheme for protecting against malicious script obtained from third-party source (CDNs). It requires that the script tag include a hash of the script content so the browser can verify that it has not been altered.

Telerik controls generate a bunch of script tags for It would be swell if the script tags would include the extra attributes necessary to implement subresource integrity. Is this in the roadmap? 

Mozilla provides a security analysis tool which highlights this issue. Look at the results for here -> 

More info available on
Marin Bratanov
Posted on: 02 Jan 2019 17:31
Thank you for your feedback, Dan. We will definitely keep this in mind. If this becomes commonly requested and popular, we will consider it for sure.

So far this is the first time that this is requested in a decade since we offer a CDN, however, so, for the time being, I can suggest you use a custom CDN on your own server: This should let the scan realize the resources are coming from your own domain and thus, not require the hash. The caching benefits are almost the same as with a cloud CDN. Of course, if you have users all over the globe, there will be a little more of a difference.

Marin Bratanov

Dan Ehrmann
Posted on: 02 Jan 2019 16:48
FYI - our most recent PCI compliance scan flagged this as a fatal error. To resolve it, we have disabled the CDN on the ScriptManager. I think you will have a lot of customers faced with this problem in the near future.