'unsafe-eval' support in Content Security Policy

6 posts, 0 answers
  1. Matt
    Matt avatar
    2 posts
    Member since:
    Jul 2016

    Posted 18 Jul 2016 Link to this post

    Hello,

    I understand that Kendo UI uses eval calls in its internal template engine.  Are there any plans to develop a workaround that support the rendering of Kendo UI widgets which comply with a strict Content Security Policy that omits the 'unsafe-eval' keyword from the 'script-src'?

    Thank you for your time.

  2. Kiril Nikolov
    Admin
    Kiril Nikolov avatar
    2598 posts

    Posted 19 Jul 2016 Link to this post

    Hello Matt,

    Currently there is no way for creating templates without the eval() method. Therefore, Kendo UI does not currently support the strict CSP mode.

    If CSP mode is enabled for a Kendo UI application, the unsafe-eval keyword should be added as part of the meta tag used for enabling the CSP mode:

    <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval' 'self' https://kendo.cdn.telerik.com;">
     
    Regards,
    Kiril Nikolov
    Telerik by Progress
     
    Get started with Kendo UI in days. Online training courses help you quickly implement components into your apps.
     
  3. Matt
    Matt avatar
    2 posts
    Member since:
    Jul 2016

    Posted 19 Jul 2016 in reply to Kiril Nikolov Link to this post

    Hello Kiril,

    Are there any plans in the future to address this issue with strict CSP?

    Thank you

  4. Kiril Nikolov
    Admin
    Kiril Nikolov avatar
    2598 posts

    Posted 20 Jul 2016 Link to this post

    Hi,

    It will requires re working the whole template engine and big parts of the framework, and this as big as it sounds. So it is not in our immediate plans.

    Regards,
    Kiril Nikolov
    Telerik by Progress
     
    Get started with Kendo UI in days. Online training courses help you quickly implement components into your apps.
     
  5. Aleksandr
    Aleksandr avatar
    3 posts
    Member since:
    Dec 2016

    Posted 12 Jun Link to this post

    Hi,

    Would it still be the case with Kendo for Angular (2, 4)?

  6. Dimiter Topalov
    Admin
    Dimiter Topalov avatar
    635 posts

    Posted 13 Jun Link to this post

    Hi Aleksandr,

    This is not the case with Kendo UI for Angular components, as they are "native" Angular components, built entirely using Angular and TypeScript, and rely entirely on the template engine, provided by the Angular framework for rendering.

    The Kendo UI Templates, known from the Kendo UI for jQuery were not transferred to Kendo UI for Angular.

    Regards,
    Dimiter Topalov
    Progress Telerik
    Try our brand new, jQuery-free Angular 2 components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
Back to Top