Approved
Last Updated: 31 Oct 2019 09:09 by ADMIN
Adrian
Created on: 24 Mar 2016 16:11
Category: Kendo UI for jQuery
Type: Feature Request
9
CSP Support
CSP is a great security feature. It should be fully supported by Kendo! The best would be some way to precompile Kendo Templates. Second option could be that you can use Kendo + CSP when not using own Kendo Templates at all. 
6 comments
ADMIN
Carl
Posted on: 31 Oct 2019 09:09

Hey everyone!

As mentioned in our documentation article on the subject, we do have a reliance on adding `unsafe-eval` when utilizing the jQuery edition of Kendo UI (which, as noted below, also impacts the MVC and Core libraries).

To give everybody some insight from our point of view, strict CSP is a bit of a tricky situation as the Kendo UI templates are used not just by our end-users but also everywhere in the Kendo UI components themselves. Therefore in order to be fully compliant it would require a very deep re-write of all Kendo UI jQuery components, which a) takes a bit of time to do and b) could potentially lead to breaking changes for all existing users. While it's not off the table, this is not a decision that can be taken without some serious planning and careful execution.

I should mention that while yes, we do use eval(), all of the internal Kendo UI templates utilize HTML encoding, which will help prevent script attacks through the usage of these templates. Additionally, for folks utilizing their own this can automatically be handled by using the `#: #` syntax as described here.

We do take security very seriously and are thinking about how to best handle CSP. As this item is currently just mentioning CSP, it would be great to understand if this kind of support is purely that your teams cannot allow `unsafe-eval` or if there are guidelines that you need to follow by using a nonce or a hash along with your script tags including Kendo UI. If it's a strict policy across the board then that is also good to know.

I should note here for anyone looking at other Kendo UI flavors outside of jQuery: our Angular, React, and Vue.js components support strict CSP. While this does not help the jQuery, MVC, and Core folks today, I just want to make sure I brought this up while on the topic.

I'm marking this item as `approved` since this is a very valid piece of feedback that we will continue to evaluate and plan for, but I cannot comment on a specific release date at the time of writing this post.

Regards,
Carl
Progress Telerik

Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
evb
Posted on: 25 Oct 2019 06:17

We're a year down the line, what's the status?

Like already said by others, because of the security, we will drop the use of kendo ui if there is no solution

Felickz
Posted on: 30 Oct 2018 15:26
Inline scripts seem to be part of the core design for the MVC controls.  This would require using a Webforms-esc ScriptManager control to manage all the content that needs injected into the response.
Michael
Posted on: 24 Oct 2018 17:07
Agreed.  This came up in a security audit and we can't be fully CSP compliant with the inline styles and eval calls.  This is only going to become more and more important as time goes on.  Kendo should really, really get this done. 
Imported User
Posted on: 24 Oct 2018 13:34
this came up in our security audit and our security officer is concerned.
Jackson
Posted on: 17 Oct 2018 15:30
we need it, or we're gonna have to drop kendo :(