Progress® Kendo UI® for jQuery Feedback Portal
Back to Feed
Request a Feature Report a Bug
Declined
Last Updated: 07 Feb 2024 13:27 by ADMIN
Joseph
Created on: 31 Jan 2024 18:07
Category: Kendo UI for jQuery
Type: Bug Report
0
Assistance Required for Implementing Strict CSP with Kendo UI jQuery v2018.3.911
I hope this email finds you well. I am writing this email regarding an CSP issue we are facing with our current implementation of Kendo UI jQuery v2018.3.911.

As part of our ongoing efforts to enhance the security of our website, we are looking to implement a strict Content Security Policy (CSP) and remove the “unsafe-” attributes. However, during our testing phase, we encountered a significant challenge: the current version of Kendo UI jQuery does not seem to operate under a CSP environment without the “unsafe-” settings.

We are seeking your expert advice on whether there is a feasible solution or workaround that would allow us to use strict CSP with our current version of Kendo UI jQuery. Or, should we consider an upgrade to a newer version of Kendo UI jQuery that is compatible with strict CSP. In this regard, we would like to understand:

  1. Are there any specific versions of Kendo UI jQuery that you would recommend for compatibility with strict CSP?
  2. What potential risks or extensive modifications might be involved in upgrading from our current version to a CSP-compatible version?
1 comment
ADMIN
Neli
Posted on: 07 Feb 2024 13:27

Hi Joseph,

1. Starting with R1 2023 release the Kendo UI for jQuery addresses the unsafe-eval directive for all components except for the Spreadsheet. I would suggest taking a look at the article linked below: 

- https://docs.telerik.com/kendo-ui/intro/widget-basics/content-security-policy

With the above,  I would suggest upgrading at least to Kendo version 2023 R1 (we always recommend upgrading to the latest which is currently 2024.1.130) in order to take advantage of the mentioned improvement.

2. What potential risks or extensive modifications might be involved in upgrading from our current version to a CSP-compatible version? - it is hard to say what are the main risks as I am not aware of the components used on your side. In addition, the time gap is huge, and many improvements in the components have been released. However, what will be helpful to take a look related to CSP is the article regarding templates, as in order to be CSP compliant in case you are using templates in your application, you will need rewrite all inline and external templates into CSP-compatible functional templates.

- https://docs.telerik.com/kendo-ui/framework/templates/get-started-csp-templates

As the CSP has been addressed in the 2023 R1 version I am changing the status of the report to 'Declined'. In case you have any additional comments or questions, please let us know.

Regards,
Neli
Progress Telerik

Stay tuned by visiting our public roadmap and feedback portal pages! Or perhaps, if you are new to our Kendo family, check out our getting started resources
Create an account Log In
View
Type
Status
Category