This is a migrated thread and some comments may be shown as answers.

'unsafe-eval' support in Content Security Policy

7 Answers 1737 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
Matt
Top achievements
Rank 1
Matt asked on 18 Jul 2016, 11:04 PM

Hello,

I understand that Kendo UI uses eval calls in its internal template engine.  Are there any plans to develop a workaround that support the rendering of Kendo UI widgets which comply with a strict Content Security Policy that omits the 'unsafe-eval' keyword from the 'script-src'?

Thank you for your time.

Sourabh
Top achievements
Rank 1
commented on 27 Jul 2021, 04:30 AM

Hi, appreciate if I can get update related to removal of unsafe-eval in Kendo UI for JQuery controls? Is this in the roadmap if it is not handled at the moment ?

Regards
Sourabh Sahu

7 Answers, 1 is accepted

Sort by
0
Kiril Nikolov
Telerik team
answered on 19 Jul 2016, 04:33 PM
Hello Matt,

Currently there is no way for creating templates without the eval() method. Therefore, Kendo UI does not currently support the strict CSP mode.

If CSP mode is enabled for a Kendo UI application, the unsafe-eval keyword should be added as part of the meta tag used for enabling the CSP mode:

<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval' 'self' https://kendo.cdn.telerik.com;">
 
Regards,
Kiril Nikolov
Telerik by Progress
 
Get started with Kendo UI in days. Online training courses help you quickly implement components into your apps.
 
0
Matt
Top achievements
Rank 1
answered on 19 Jul 2016, 05:12 PM

Hello Kiril,

Are there any plans in the future to address this issue with strict CSP?

Thank you

0
Kiril Nikolov
Telerik team
answered on 20 Jul 2016, 07:20 AM
Hi,

It will requires re working the whole template engine and big parts of the framework, and this as big as it sounds. So it is not in our immediate plans.

Regards,
Kiril Nikolov
Telerik by Progress
 
Get started with Kendo UI in days. Online training courses help you quickly implement components into your apps.
 
0
Aleksandr
Top achievements
Rank 1
answered on 12 Jun 2017, 07:53 AM

Hi,

Would it still be the case with Kendo for Angular (2, 4)?

Ganesh
Top achievements
Rank 1
commented on 06 Apr 2022, 06:32 AM

how about kendoreact's recent versions, does it have dependency on unsafe-eval?.
Neli
Telerik team
commented on 07 Apr 2022, 12:56 PM

Likewise, to what has been mentioned previously for Kendo UI for Angular suite, the unsafe-eval is not needed in KendoReact.

In case you have additional questions related to the KendoReact suite I would recommend opening a support ticket for the respective product or posting a question in the KendoReact forum:

https://www.telerik.com/forums/kendo-ui-react

Regards,

Neli

0
Dimiter Topalov
Telerik team
answered on 13 Jun 2017, 08:43 AM
Hi Aleksandr,

This is not the case with Kendo UI for Angular components, as they are "native" Angular components, built entirely using Angular and TypeScript, and rely entirely on the template engine, provided by the Angular framework for rendering.

The Kendo UI Templates, known from the Kendo UI for jQuery were not transferred to Kendo UI for Angular.

Regards,
Dimiter Topalov
Progress Telerik
Try our brand new, jQuery-free Angular 2 components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
0
Subba
Top achievements
Rank 1
answered on 25 Sep 2020, 01:39 PM
Hi, Any updates regarding not to use unsafe-eval in Kendo UI for Jquery controls? Is it still in consideration or No at this point of time?
0
Ivan Danchev
Telerik team
answered on 29 Sep 2020, 01:12 PM

Hi Subba,

At present, we have no plans on removing eval, so what's been said earlier in this thread and in this documentation section, is still valid.

Regards,
Ivan Danchev
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Sourabh
Top achievements
Rank 1
commented on 26 Jul 2021, 12:06 PM

Hi, appreciate if I can get update related to removal of unsafe-eval in Kendo UI for JQuery controls? Is this in the roadmap if it is not handled at the moment ?

Regards
Sourabh Sahu
Neli
Telerik team
commented on 28 Jul 2021, 09:23 AM

Hi Saurabh, 

The 'unsafe-eval' keyword still should be added as part of the meta tag used for enabling the CSP mode. There is a Feature Request for CSP Support, where the issue is discussed in details. Below you will find a link to it.

https://feedback.telerik.com/kendo-jquery-ui/1359789-csp-support

Regards,

Neli

Tags
General Discussions
Asked by
Matt
Top achievements
Rank 1
Answers by
Kiril Nikolov
Telerik team
Matt
Top achievements
Rank 1
Aleksandr
Top achievements
Rank 1
Dimiter Topalov
Telerik team
Subba
Top achievements
Rank 1
Ivan Danchev
Telerik team
Share this question
or