I understand that Kendo UI uses eval calls in its internal template engine. Are there any plans to develop a workaround that support the rendering of Kendo UI widgets which comply with a strict Content Security Policy that omits the 'unsafe-eval' keyword from the 'script-src'?
Thank you for your time.
7 Answers, 1 is accepted
Currently there is no way for creating templates without the eval() method. Therefore, Kendo UI does not currently support the strict CSP mode.
If CSP mode is enabled for a Kendo UI application, the unsafe-eval keyword should be added as part of the meta tag used for enabling the CSP mode:
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval' 'self' https://kendo.cdn.telerik.com;">
Telerik by Progress
Are there any plans in the future to address this issue with strict CSP?
It will requires re working the whole template engine and big parts of the framework, and this as big as it sounds. So it is not in our immediate plans.
Telerik by Progress
Would it still be the case with Kendo for Angular (2, 4)?
Likewise, to what has been mentioned previously for Kendo UI for Angular suite, the unsafe-eval is not needed in KendoReact.
In case you have additional questions related to the KendoReact suite I would recommend opening a support ticket for the respective product or posting a question in the KendoReact forum:
This is not the case with Kendo UI for Angular components, as they are "native" Angular components, built entirely using Angular and TypeScript, and rely entirely on the template engine, provided by the Angular framework for rendering.
The Kendo UI Templates, known from the Kendo UI for jQuery were not transferred to Kendo UI for Angular.
At present, we have no plans on removing eval, so what's been said earlier in this thread and in this documentation section, is still valid.
Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.
The 'unsafe-eval' keyword still should be added as part of the meta tag used for enabling the CSP mode. There is a Feature Request for CSP Support, where the issue is discussed in details. Below you will find a link to it.