Hello, Lisa,

The MVC and Core wrappers use Kendo UI for jQuery under the hood so the changes to the jQuery library also affect the wrappers.

Please refer to the following documentation article for more information:

https://docs.telerik.com/aspnet-mvc/html-helpers/helper-basics/content-security-policy#for-r1-2023-sp1-and-later-working-with-telerik-ui-for-aspnet-mvc-components 

Best Regards,
Georgi Denchev
Progress Telerik

Hello everyone,

I wanted to jump into this feedback item and provide an update when it comes to CSP support in Kendo UI for jQuery as well as Telerik UI for ASP.NET MVC and ASP.NET Core.

Specifically, with R1 2023 (slated for mid-January 2023) we will officially be able to drop the `unsafe-eval` exception for Kendo UI for jQuery!

Like I have mentioned a few times below, improving our CSP support (with a goal of being Strict CSP compliant) would require a re-write of internal aspects of Kendo UI for jQuery, as well as a change to how we handle templates within the library. Over the last year or so, the Kendo UI for jQuery team has been busy behind the scenes making the necessary architectural and source code changes to build towards this goal and we are now at a point where we can officially share the news about being able to eliminate the `unsafe-eval` exception that has been the biggest hurdle with improving our CSP support.

For those of you that are not using the Kendo UI Template functionality to customize the Kendo UI for jQuery components, merely upgrading to R1 2023 will allow you to drop the `unsafe-eval` exception.

For those using Kendo UI Templates there will be some potential changes to your templates, moving over to JavaScript literal templates instead. The differences in the template strings will be documented to ensure that this transition will be as seamless as possible.

As we get closer to the release we will provide documentation articles and more information about this change to help everyone prepare.

We believe `unsafe-eval` is the biggest concern based on the feedback below, as well as additional conversations we have had with folks focused on CSP compliance and are excited that we can now officially mark this item as planned with a specific release in mind - and something that is right around the corner from the time of writing this message!

As a final note, the last step towards full Strict CSP compliance is the `font-src` exception that is required to use Kendo UI for jQuery Icons contained within our components. We are planning on working towards removing this exception after the R1 2023 release and are targeting to resolve this later in 2023.

Regards,
Carl
Progress Telerik

Hey folks!

At this time there is no further update regarding strict CSP support in the Kendo UI for jQuery library. We are continuing to monitor this thread and other sourced of feedback related to CSP support. However, at this time we do not have an update on when this will be supported in the jQuery UI components.

Regards,
Carl
Progress Telerik

Hi Martin,

Yes, that is correct. Here is the documentation article, which discusses this topic:

https://docs.telerik.com/kendo-ui/troubleshoot/content-security-policy

Regards,
Dimo
Progress Telerik

Hey everyone,

We are continuing to evaluate how we can ensure proper CSP compliance and what our strategy to get there could potentially be. As mentioned in my previous post this effort potentially has a huge impact on not only our own development efforts but also it will lead to a huge impact of all Kendo UI users - regardless to every single Kendo UI user which is something that we take very seriously.

At the same time, we also understand how this impacts users that have this strict CSP requirement and that it puts you in a tough position. With the ongoing feedback here, as well as research efforts we are doing with other customers, we will continue to look in to what we can do with CSP support and how we can serve all of our customers along the way.

I know this does not give you a timeline on the topic but I wanted to add this note to provide some assurance that we are still actively paying attention to this item.

Carl
Progress Telerik

Hi,

Please find below links to articles regarding Content Security Policy:

- link to UI for ASP.NET MVC documentation

- link to UI for ASP.NET Core documentation

Regards,
Neli
Progress Telerik

Hi,

As described in the Content Security Policy article in Kendo UI for jQuery documentation, still the "unsafe-eval" keyword should be added as part of the meta tag used for enabling the CSP mode.

In case Kendo widgets are initialized from Html helpers or Tag Helpers the following steps should be followed:

- The Deferred initialization should be used

@(Html.Kendo().PanelBar()
        .Name("IntroPanelBar")
        .Items(items =>
        {
		...
        })
        .Deferred()
)

- The initialization logic should be rendered in a script using 'nonce' 

<script type="text/javascript" nonce="kendoInlineScript">
	@Html.Kendo().DeferredScripts(false)
</script>

- The Content Security Policy meta tag should include the "unsafe-eval" and "nonce" as demonstrated below:

<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval' 'self' 'nonce-kendoInlineScript' https://kendo.cdn.telerik.com;">

There will be an article regarding the steps described above very soon. Once, the article is available I will link send a link to it. 

Regards,
Neli
Progress Telerik

Hello Karina, all,

As soon as we have new information about how and when we will revamp Kendo UI for jQuery to make it CSP compatible, we will post here and update the item status. At this point I can confirm the state of affairs is the same, as described by Carl.

In the meantime, we appreciate everyone's feedback about the current situation's impact and what requirements and policies our customers adhere to. This helps us gauge the importance of CSP compliance.

Regards,
Dimo
Progress Telerik

Hey everyone!

As mentioned in our documentation article on the subject, we do have a reliance on adding `unsafe-eval` when utilizing the jQuery edition of Kendo UI (which, as noted below, also impacts the MVC and Core libraries).

To give everybody some insight from our point of view, strict CSP is a bit of a tricky situation as the Kendo UI templates are used not just by our end-users but also everywhere in the Kendo UI components themselves. Therefore in order to be fully compliant it would require a very deep re-write of all Kendo UI jQuery components, which a) takes a bit of time to do and b) could potentially lead to breaking changes for all existing users. While it's not off the table, this is not a decision that can be taken without some serious planning and careful execution.

I should mention that while yes, we do use eval(), all of the internal Kendo UI templates utilize HTML encoding, which will help prevent script attacks through the usage of these templates. Additionally, for folks utilizing their own this can automatically be handled by using the `#: #` syntax as described here.

We do take security very seriously and are thinking about how to best handle CSP. As this item is currently just mentioning CSP, it would be great to understand if this kind of support is purely that your teams cannot allow `unsafe-eval` or if there are guidelines that you need to follow by using a nonce or a hash along with your script tags including Kendo UI. If it's a strict policy across the board then that is also good to know.

I should note here for anyone looking at other Kendo UI flavors outside of jQuery: our Angular, React, and Vue.js components support strict CSP. While this does not help the jQuery, MVC, and Core folks today, I just want to make sure I brought this up while on the topic.

I'm marking this item as `approved` since this is a very valid piece of feedback that we will continue to evaluate and plan for, but I cannot comment on a specific release date at the time of writing this post.

Regards,
Carl
Progress Telerik