An effective CSP will provide you with a safety net against XSS attacks. Kendo UI for Angular components are fully compatible with strict CSPs.
We've got an important update for you on Kendo UI support for Angular and Content Security Policies (CSPs). For the quick version, you can skim the summary right here, or dive into the full content below.
Content Security Policy is a browser feature for protecting against cross-site scripting attacks (XSS), one of the most common attack vectors on the web. It is a useful layer to have in your defense-in-depth strategy.
But it's just that—a layer, not a complete solution in itself. Not all browsers support it, the most notable exception being IE prior to Edge.
An example policy that satisfies the rules above is: "script-src 'self'; object-src 'none'"
The CSP Evaluator tool can be used to identify problems with your policy. An extensive research on the real-world effectiveness of different policies is available in the CSP Is Dead, Long Live CSP! research paper.
Your application has to use Ahead of Time Compilation (AOT). The JIT compiler is not suitable as it must generate dynamic scripts at runtime.
As of this week—none. The @progress/kendo-data-query has dropped the use of "eval" in version 1.1.0, making the suite fully compatible with a strict CSP. A sample application is available on GitHub.
The template engine in Kendo UI for jQuery requires `script-src: "unsafe-eval"` due to the use of dynamic code generation, much like the Angular JIT compiler. A pure client-side framework doesn't have the luxury of server-side template compilation. That said, we actively manage XSS vectors by sanitizing input data.
For more details on CSP, you may want to review the articles on Web Fundamentals and on MDN.
In the context of Angular applications, the Intro to Web Security by Dominik Kundel (slides) talk from Angular Connect '17 talk is definitely worth your time. Last, but not least, you can check out the Security topic from the Angular documentation.
Tsvetomir is a developer on the Kendo UI team. He enjoys helping others as much as creating software. In his spare time, Tsetso loves reading science fiction and photographing nature.