Declined
Last Updated: 24 Aug 2022 14:25 by ADMIN
Dion
Created on: 14 Jul 2022 06:29
Category: Kendo UI for jQuery
Type: Bug Report
0
Missing Anti-CRSF tokens in kendo.all.min.js

Bug report

Missing Anti-CRSF tokens trigger security alerts when testing for security compliance with OWASP ZAP.

Reproduction of the problem

https://www.telerik.com/forums/how-to-resolve-absence-of-anti-csrf-token-alert-in-kendo-all-min-js-1559042

Current behavior

Expected/desired behavior

Environment

  • Kendo UI version: 2022.2.621
  • jQuery version: x.y
  • Browser: [all]
1 comment
ADMIN
Ivan Danchev
Posted on: 24 Aug 2022 14:25

Hello Dion,

After further investigation, the dev team decided that it is not viable to add Anti-CRSF tokens to the kendo.all.min.js, because Kendo UI is used in different environments, not only in .NET (e.g., MVC, Core). Thus adding tokens and covering all potential requests and environments, would require significant changes to the source code. In other words the lack of tokens is not due to an oversight on our part, instead they haven't been intended to be included in the source code.

Regards,
Ivan Danchev
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.