'unsafe-eval' support in Content Security Policy

4 posts, 0 answers
  1. Matt
    Matt avatar
    2 posts
    Member since:
    Jul 2016

    Posted 18 Jul Link to this post

    Hello,

    I understand that Kendo UI uses eval calls in its internal template engine.  Are there any plans to develop a workaround that support the rendering of Kendo UI widgets which comply with a strict Content Security Policy that omits the 'unsafe-eval' keyword from the 'script-src'?

    Thank you for your time.

  2. Kiril Nikolov
    Admin
    Kiril Nikolov avatar
    2564 posts

    Posted 19 Jul Link to this post

    Hello Matt,

    Currently there is no way for creating templates without the eval() method. Therefore, Kendo UI does not currently support the strict CSP mode.

    If CSP mode is enabled for a Kendo UI application, the unsafe-eval keyword should be added as part of the meta tag used for enabling the CSP mode:

    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval' 'self' https://kendo.cdn.telerik.com;">
     
    Regards,
    Kiril Nikolov
    Telerik by Progress
     
    Get started with Kendo UI in days. Online training courses help you quickly implement components into your apps.
     
  3. Kendo UI is VS 2017 Ready
  4. Matt
    Matt avatar
    2 posts
    Member since:
    Jul 2016

    Posted 19 Jul in reply to Kiril Nikolov Link to this post

    Hello Kiril,

    Are there any plans in the future to address this issue with strict CSP?

    Thank you

  5. Kiril Nikolov
    Admin
    Kiril Nikolov avatar
    2564 posts

    Posted 20 Jul Link to this post

    Hi,

    It will requires re working the whole template engine and big parts of the framework, and this as big as it sounds. So it is not in our immediate plans.

    Regards,
    Kiril Nikolov
    Telerik by Progress
     
    Get started with Kendo UI in days. Online training courses help you quickly implement components into your apps.
     
Back to Top
Kendo UI is VS 2017 Ready