Under Review
Last Updated: 24 Aug 2020 09:24 by ADMIN
Bhrugesh
Created on: 20 Aug 2020 14:06
Category: UI for ASP.NET AJAX
Type: Feature Request
0
CSP support for nonce and SHA256 hash in Telerik ASP.NET AJAX

I would like to know if Telerik ASPNET Ajax  control supports securing CSP by adding nonce- or sha256- as mentioned in https://www.sitepoint.com/improving-web-security-with-the-content-security-policy (Refer section - Protecting Inline Styles and Scripts Using a Nonce).
3 comments
ADMIN
Rumen
Posted on: 24 Aug 2020 09:24

Hi Rick,

For Kendo UI, ASP.NET MVC and Core, please refer to the following Kendo UI feedback portal on the matter https://feedback.telerik.com/kendo-jquery-ui/1359789-csp-support, check Carl's answer on 31 Oct 2019 11:09 and post your questions and comments for Kendo related product there.

Best Regards,
Rumen
Progress Telerik

Five days of Blazor, Angular, React, and Xamarin experts live-coding on twitch.tv/CodeItLive , special prizes and more, for FREE?! Register now for DevReach 2.0(20).

RickC
Posted on: 24 Aug 2020 03:11
The same problem exists with ASPNET Core components. I have been able to apply nonces to every other javascript file in my NET CORE 3.1 app except for Telerik components like a Kendo Grid. This means my entire application's security is compromised because Kendo does not have the capability of adding nonces dynamically. Telerik really needs to fix this in order to support Enterprise-level applications. CSP has been around for years and many people have been requesting this feature (perhaps not for Ajax but I have personally submitted Support requests for MVC and Core). Time to put security first!
ADMIN
Rumen
Posted on: 20 Aug 2020 14:25

Thank you for your feature request!

You are the first customer to request support for nonce and sha256 hash for CSP for Telerik ASP.NET AJAX controls.

The problem with them is that you cannot control the script tags which are imported by the ASP.NET Web Forms framework.

Even if we come up with a property or method that will allow you to call your own code that gives this nonce - we can't do anything for the scripts from the ASP.NET AJAX framework.

Best Regards,


Rumen
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.