Completed
Last Updated: 12 Sep 2023 14:21 by ADMIN
Adrian
Created on: 24 Mar 2016 16:11
Category: Kendo UI for jQuery
Type: Feature Request
25
CSP Support
CSP is a great security feature. It should be fully supported by Kendo! The best would be some way to precompile Kendo Templates. Second option could be that you can use Kendo + CSP when not using own Kendo Templates at all. 
21 comments
ADMIN
Georgi Denchev
Posted on: 25 Apr 2023 14:58

Hello, Lisa,

The MVC and Core wrappers use Kendo UI for jQuery under the hood so the changes to the jQuery library also affect the wrappers.

Please refer to the following documentation article for more information:

https://docs.telerik.com/aspnet-mvc/html-helpers/helper-basics/content-security-policy#for-r1-2023-sp1-and-later-working-with-telerik-ui-for-aspnet-mvc-components 

Best Regards,
Georgi Denchev
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.

Lisa
Posted on: 19 Apr 2023 07:12

Dear Support Team,

Refer to below posted update by Carl on 5 Oct 2022 below,

"Specifically, with R1 2023 (slated for mid-January 2023) we will officially be able to drop the `unsafe-eval` exception for Kendo UI for jQuery!"

Is the removal of 'unsafe-eval' is applicable to Telerik UI for jQuery too or only Kendo UI? We are currently using Telerik 2021.2.616.45 UI for jQuery and encountered the same security issue where we need to remove the 'unsafe-eval' as the solution. Please advise.

Regards,

Lisa

ADMIN
Carl
Posted on: 05 Oct 2022 15:42

Hello everyone,

I wanted to jump into this feedback item and provide an update when it comes to CSP support in Kendo UI for jQuery as well as Telerik UI for ASP.NET MVC and ASP.NET Core.

Specifically, with R1 2023 (slated for mid-January 2023) we will officially be able to drop the `unsafe-eval` exception for Kendo UI for jQuery!

Like I have mentioned a few times below, improving our CSP support (with a goal of being Strict CSP compliant) would require a re-write of internal aspects of Kendo UI for jQuery, as well as a change to how we handle templates within the library. Over the last year or so, the Kendo UI for jQuery team has been busy behind the scenes making the necessary architectural and source code changes to build towards this goal and we are now at a point where we can officially share the news about being able to eliminate the `unsafe-eval` exception that has been the biggest hurdle with improving our CSP support.

For those of you that are not using the Kendo UI Template functionality to customize the Kendo UI for jQuery components, merely upgrading to R1 2023 will allow you to drop the `unsafe-eval` exception.

For those using Kendo UI Templates there will be some potential changes to your templates, moving over to JavaScript literal templates instead. The differences in the template strings will be documented to ensure that this transition will be as seamless as possible.

As we get closer to the release we will provide documentation articles and more information about this change to help everyone prepare.

We believe `unsafe-eval` is the biggest concern based on the feedback below, as well as additional conversations we have had with folks focused on CSP compliance and are excited that we can now officially mark this item as planned with a specific release in mind - and something that is right around the corner from the time of writing this message!

As a final note, the last step towards full Strict CSP compliance is the `font-src` exception that is required to use Kendo UI for jQuery Icons contained within our components. We are planning on working towards removing this exception after the R1 2023 release and are targeting to resolve this later in 2023.

Regards,
Carl
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

ADMIN
Carl
Posted on: 11 Jan 2022 17:07

Hey folks!

At this time there is no further update regarding strict CSP support in the Kendo UI for jQuery library. We are continuing to monitor this thread and other sourced of feedback related to CSP support. However, at this time we do not have an update on when this will be supported in the jQuery UI components.

Regards,
Carl
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Sanatan
Posted on: 06 Jan 2022 06:45

Another year has passed since the last feedback on this. This is a serious shortcoming of Kendo UI. Any updates on when this will be supported?

 

Thanks,

Sanatan

ADMIN
Dimo
Posted on: 02 Feb 2021 08:43

Hi Martin,

Yes, that is correct. Here is the documentation article, which discusses this topic:

https://docs.telerik.com/kendo-ui/troubleshoot/content-security-policy

Regards,
Dimo
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Martin
Posted on: 01 Feb 2021 21:55

Hello, is unsafe-eval still needed in CSP for Kendo UI for Jquery?

 

ADMIN
Carl
Posted on: 06 Oct 2020 14:31

Hey everyone,

We are continuing to evaluate how we can ensure proper CSP compliance and what our strategy to get there could potentially be. As mentioned in my previous post this effort potentially has a huge impact on not only our own development efforts but also it will lead to a huge impact of all Kendo UI users - regardless to every single Kendo UI user which is something that we take very seriously.

At the same time, we also understand how this impacts users that have this strict CSP requirement and that it puts you in a tough position. With the ongoing feedback here, as well as research efforts we are doing with other customers, we will continue to look in to what we can do with CSP support and how we can serve all of our customers along the way.

I know this does not give you a timeline on the topic but I wanted to add this note to provide some assurance that we are still actively paying attention to this item.


Carl
Progress Telerik

Five days of Blazor, Angular, React, and Xamarin experts live-coding on twitch.tv/CodeItLive, special prizes, and more, for FREE?! Register now for DevReach 2.0(20).

Niels
Posted on: 29 Sep 2020 20:40

This will become an issue at my current customer. They used Kendo extensively to build a portal, but Dutch national identity provider DigiD prohibits the usage of unsafe-inline and unsave-eval completely from 2021 onwards.

I now have two options, and losing DigiD support isn't one of them:

  • Hope there will be a workaround before January 2021
  • Drop Kendo completely (but that means a complete rewrite of the front-end.
ADMIN
Neli
Posted on: 29 Jul 2020 07:02

Hi,

Please find below links to articles regarding Content Security Policy:

- link to UI for ASP.NET MVC documentation

- link to UI for ASP.NET Core documentation

Regards,
Neli
Progress Telerik

ADMIN
Neli
Posted on: 28 Jul 2020 11:46

Hi,

As described in the Content Security Policy article in Kendo UI for jQuery documentation, still the "unsafe-eval" keyword should be added as part of the meta tag used for enabling the CSP mode.

In case Kendo widgets are initialized from Html helpers or Tag Helpers the following steps should be followed:

- The Deferred initialization should be used

@(Html.Kendo().PanelBar()
        .Name("IntroPanelBar")
        .Items(items =>
        {
		...
        })
        .Deferred()
)

- The initialization logic should be rendered in a script using 'nonce' 

<script type="text/javascript" nonce="kendoInlineScript">
	@Html.Kendo().DeferredScripts(false)
</script>

- The Content Security Policy meta tag should include the "unsafe-eval" and "nonce" as demonstrated below:

<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval' 'self' 'nonce-kendoInlineScript' https://kendo.cdn.telerik.com;">

There will be an article regarding the steps described above very soon. Once, the article is available I will link send a link to it. 

Regards,
Neli
Progress Telerik

Felickz
Posted on: 22 Jul 2020 17:05

For unsafe-inline MVC support - Have you considered the ability to output a nonce into the scripts and include in the response header?

 

Expose an extensibility point to integrate a package like NWEBSEC that already has tag helpers / CSP attributes builders for this same paradigm - https://docs.nwebsec.com/en/4.1/nwebsec/Configuring-csp.html#script-and-style-nonces-through-htmlhelpers

Karina
Posted on: 21 Jul 2020 19:57

Hello, just to confirm. Is unsafe-eval still needed in CSP for Kendo UI? Or have something changed?

 

Thanks,

Karina

ADMIN
Dimo
Posted on: 03 Jan 2020 16:15

Hello Karina, all,

As soon as we have new information about how and when we will revamp Kendo UI for jQuery to make it CSP compatible, we will post here and update the item status. At this point I can confirm the state of affairs is the same, as described by Carl.

In the meantime, we appreciate everyone's feedback about the current situation's impact and what requirements and policies our customers adhere to. This helps us gauge the importance of CSP compliance.

Regards,
Dimo
Progress Telerik

Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
Karina
Posted on: 13 Dec 2019 15:38

Hello, any update when this would be fixed?

 

While our audit identified this a low risk with CVSS 2.5, per company policy, we need to have this issue fixed in a near future.

 

Thanks,

ADMIN
Carl
Posted on: 31 Oct 2019 09:09

Hey everyone!

As mentioned in our documentation article on the subject, we do have a reliance on adding `unsafe-eval` when utilizing the jQuery edition of Kendo UI (which, as noted below, also impacts the MVC and Core libraries).

To give everybody some insight from our point of view, strict CSP is a bit of a tricky situation as the Kendo UI templates are used not just by our end-users but also everywhere in the Kendo UI components themselves. Therefore in order to be fully compliant it would require a very deep re-write of all Kendo UI jQuery components, which a) takes a bit of time to do and b) could potentially lead to breaking changes for all existing users. While it's not off the table, this is not a decision that can be taken without some serious planning and careful execution.

I should mention that while yes, we do use eval(), all of the internal Kendo UI templates utilize HTML encoding, which will help prevent script attacks through the usage of these templates. Additionally, for folks utilizing their own this can automatically be handled by using the `#: #` syntax as described here.

We do take security very seriously and are thinking about how to best handle CSP. As this item is currently just mentioning CSP, it would be great to understand if this kind of support is purely that your teams cannot allow `unsafe-eval` or if there are guidelines that you need to follow by using a nonce or a hash along with your script tags including Kendo UI. If it's a strict policy across the board then that is also good to know.

I should note here for anyone looking at other Kendo UI flavors outside of jQuery: our Angular, React, and Vue.js components support strict CSP. While this does not help the jQuery, MVC, and Core folks today, I just want to make sure I brought this up while on the topic.

I'm marking this item as `approved` since this is a very valid piece of feedback that we will continue to evaluate and plan for, but I cannot comment on a specific release date at the time of writing this post.

Regards,
Carl
Progress Telerik

Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
evb
Posted on: 25 Oct 2019 06:17

We're a year down the line, what's the status?

Like already said by others, because of the security, we will drop the use of kendo ui if there is no solution

Felickz
Posted on: 30 Oct 2018 15:26
Inline scripts seem to be part of the core design for the MVC controls.  This would require using a Webforms-esc ScriptManager control to manage all the content that needs injected into the response.
Michael
Posted on: 24 Oct 2018 17:07
Agreed.  This came up in a security audit and we can't be fully CSP compliant with the inline styles and eval calls.  This is only going to become more and more important as time goes on.  Kendo should really, really get this done. 
Imported User
Posted on: 24 Oct 2018 13:34
this came up in our security audit and our security officer is concerned.
Jackson
Posted on: 17 Oct 2018 15:30
we need it, or we're gonna have to drop kendo :(