Unplanned
Last Updated: 29 Sep 2020 20:40 by Niels
Adrian
Created on: 24 Mar 2016 16:11
Category: Kendo UI for jQuery
Type: Feature Request
13
CSP Support
CSP is a great security feature. It should be fully supported by Kendo! The best would be some way to precompile Kendo Templates. Second option could be that you can use Kendo + CSP when not using own Kendo Templates at all. 
13 comments
Niels
Posted on: 29 Sep 2020 20:40

This will become an issue at my current customer. They used Kendo extensively to build a portal, but Dutch national identity provider DigiD prohibits the usage of unsafe-inline and unsave-eval completely from 2021 onwards.

I now have two options, and losing DigiD support isn't one of them:

  • Hope there will be a workaround before January 2021
  • Drop Kendo completely (but that means a complete rewrite of the front-end.
ADMIN
Neli
Posted on: 29 Jul 2020 07:02

Hi,

Please find below links to articles regarding Content Security Policy:

- link to UI for ASP.NET MVC documentation

- link to UI for ASP.NET Core documentation

Regards,
Neli
Progress Telerik

ADMIN
Neli
Posted on: 28 Jul 2020 11:46

Hi,

As described in the Content Security Policy article in Kendo UI for jQuery documentation, still the "unsafe-eval" keyword should be added as part of the meta tag used for enabling the CSP mode.

In case Kendo widgets are initialized from Html helpers or Tag Helpers the following steps should be followed:

- The Deferred initialization should be used

@(Html.Kendo().PanelBar()
        .Name("IntroPanelBar")
        .Items(items =>
        {
		...
        })
        .Deferred()
)

- The initialization logic should be rendered in a script using 'nonce' 

<script type="text/javascript" nonce="kendoInlineScript">
	@Html.Kendo().DeferredScripts(false)
</script>

- The Content Security Policy meta tag should include the "unsafe-eval" and "nonce" as demonstrated below:

<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval' 'self' 'nonce-kendoInlineScript' https://kendo.cdn.telerik.com;">

There will be an article regarding the steps described above very soon. Once, the article is available I will link send a link to it. 

Regards,
Neli
Progress Telerik

Felickz
Posted on: 22 Jul 2020 17:05

For unsafe-inline MVC support - Have you considered the ability to output a nonce into the scripts and include in the response header?

 

Expose an extensibility point to integrate a package like NWEBSEC that already has tag helpers / CSP attributes builders for this same paradigm - https://docs.nwebsec.com/en/4.1/nwebsec/Configuring-csp.html#script-and-style-nonces-through-htmlhelpers

Karina
Posted on: 21 Jul 2020 19:57

Hello, just to confirm. Is unsafe-eval still needed in CSP for Kendo UI? Or have something changed?

 

Thanks,

Karina

ADMIN
Dimo
Posted on: 03 Jan 2020 16:15

Hello Karina, all,

As soon as we have new information about how and when we will revamp Kendo UI for jQuery to make it CSP compatible, we will post here and update the item status. At this point I can confirm the state of affairs is the same, as described by Carl.

In the meantime, we appreciate everyone's feedback about the current situation's impact and what requirements and policies our customers adhere to. This helps us gauge the importance of CSP compliance.

Regards,
Dimo
Progress Telerik

Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
Karina
Posted on: 13 Dec 2019 15:38

Hello, any update when this would be fixed?

 

While our audit identified this a low risk with CVSS 2.5, per company policy, we need to have this issue fixed in a near future.

 

Thanks,

ADMIN
Carl
Posted on: 31 Oct 2019 09:09

Hey everyone!

As mentioned in our documentation article on the subject, we do have a reliance on adding `unsafe-eval` when utilizing the jQuery edition of Kendo UI (which, as noted below, also impacts the MVC and Core libraries).

To give everybody some insight from our point of view, strict CSP is a bit of a tricky situation as the Kendo UI templates are used not just by our end-users but also everywhere in the Kendo UI components themselves. Therefore in order to be fully compliant it would require a very deep re-write of all Kendo UI jQuery components, which a) takes a bit of time to do and b) could potentially lead to breaking changes for all existing users. While it's not off the table, this is not a decision that can be taken without some serious planning and careful execution.

I should mention that while yes, we do use eval(), all of the internal Kendo UI templates utilize HTML encoding, which will help prevent script attacks through the usage of these templates. Additionally, for folks utilizing their own this can automatically be handled by using the `#: #` syntax as described here.

We do take security very seriously and are thinking about how to best handle CSP. As this item is currently just mentioning CSP, it would be great to understand if this kind of support is purely that your teams cannot allow `unsafe-eval` or if there are guidelines that you need to follow by using a nonce or a hash along with your script tags including Kendo UI. If it's a strict policy across the board then that is also good to know.

I should note here for anyone looking at other Kendo UI flavors outside of jQuery: our Angular, React, and Vue.js components support strict CSP. While this does not help the jQuery, MVC, and Core folks today, I just want to make sure I brought this up while on the topic.

I'm marking this item as `approved` since this is a very valid piece of feedback that we will continue to evaluate and plan for, but I cannot comment on a specific release date at the time of writing this post.

Regards,
Carl
Progress Telerik

Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
evb
Posted on: 25 Oct 2019 06:17

We're a year down the line, what's the status?

Like already said by others, because of the security, we will drop the use of kendo ui if there is no solution

Felickz
Posted on: 30 Oct 2018 15:26
Inline scripts seem to be part of the core design for the MVC controls.  This would require using a Webforms-esc ScriptManager control to manage all the content that needs injected into the response.
Michael
Posted on: 24 Oct 2018 17:07
Agreed.  This came up in a security audit and we can't be fully CSP compliant with the inline styles and eval calls.  This is only going to become more and more important as time goes on.  Kendo should really, really get this done. 
Imported User
Posted on: 24 Oct 2018 13:34
this came up in our security audit and our security officer is concerned.
Jackson
Posted on: 17 Oct 2018 15:30
we need it, or we're gonna have to drop kendo :(