CSP after applying "script-src 'self' " Kendo control doesn't work

1 Answer 1003 Views
DropDownList Grid
Sachin
Top achievements
Rank 1
Sachin asked on 13 Dec 2022, 12:30 PM

In CSP we were using script-src 'self' 'unsafe-inline' 

but for security purpose need to remove 'unsafe-inline' , we added  'nonce-a9f04fd1-06cf-4948-9d66-ea306e581896' for inline script.

applied nonce for inline script 

<script type="text/javascript" nonce="a9f04fd1-06cf-4948-9d66-ea306e581896">

</script>

but after applying these change kendo  controls not working. Our assumption is there are dynamic inline scripts generated  for kendo controls which not contains nonce. so it may cause an issue.

we also tried DeferredScripts but no success. after applying 'unsafe-inline'  it works.

<script type="text/javascript" nonce="a9f04fd1-06cf-4948-9d66-ea306e581896">

    @Html.Kendo().DeferredScripts()

</script>

 

Please suggest as we want to remove 'unsafe-inline' with kendo controls need to work.

 

1 Answer, 1 is accepted

Sort by
0
Ivan Danchev
Telerik team
answered on 16 Dec 2022, 07:37 AM

Hello Sachin,

See this article, which describes the necessary settings: https://docs.telerik.com/aspnet-mvc/troubleshoot/troubleshooting-content-security-policy

In addition to deferring the components and setting the nonce attribute value of the script tag:

<script type="text/javascript" nonce="kendoInlineScript">

the value of the meta tag content attribute must be set accordingly as well:

<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval' 'self' 'nonce-kendoInlineScript' https://kendo.cdn.telerik.com;">

Regards,
Ivan Danchev
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.

Sachin
Top achievements
Rank 1
commented on 29 Dec 2022, 10:44 AM | edited

Hi Ivan,

Thanks for reply and suggestions.

We are able to remove 'unsafe-inline' from CSP and kendo controls working fine with 'unsafe-eval'.

We need to remove all 'unsafe-' Prefixed Directives from CSP.  How we can remove 'unsafe-eval' dependency with kendo ?

We have found on update from Telerik (Kendo)  that 'unsafe-eval' will fixed in next year release.

CSP Support (telerik.com)

Please suggest.

Ivan Danchev
Telerik team
commented on 03 Jan 2023, 10:07 AM

Yes, we are still working on the CSP support and we expect to be ready with that for the R1 2023 release. The release is due the third week of January. 
Sachin
Top achievements
Rank 1
commented on 02 Feb 2023, 06:58 AM | edited

Hi Ivan,

Any update on R1 2023 release for removing 'unsafe-eval' dependency with kendo.

Ivan Danchev
Telerik team
commented on 06 Feb 2023, 04:59 PM

With R1 2023 we released a new template syntax, which allows using the Kendo UI for jQuery components without adding "unsafe-eval". For more details, see this section of the documentation: https://docs.telerik.com/kendo-ui/intro/widget-basics/content-security-policy#for-r1-2023-and-later-working-with-kendo-ui-for-jquery

We are still working on the CSP support for the MVC and Core helpers, which is why currently they still depend on "unsafe-eval". We expect the improvements to be included in the R1 2023 SP1 release in mid March.

Sachin
Top achievements
Rank 1
commented on 02 Mar 2023, 12:18 PM

Hi Ivan,

Any update on R1 2023 SP1 release in mid March for removing 'unsafe-eval' dependency with kendo for MVC?

Ivan Danchev
Telerik team
commented on 07 Mar 2023, 09:52 AM

Hi Sachin,

We are on track with the CSP improvements for UI for ASP.NET MVC and plan on including them in the R1 2023 SP1 release, which is coming next week.
Sachin
Top achievements
Rank 1
commented on 25 Mar 2023, 12:43 PM | edited

Hi Ivan

Any update on R1 2023 SP1 release in mid March for removing 'unsafe-eval' dependency with kendo for MVC?

Sachin
Top achievements
Rank 1
commented on 29 Mar 2023, 06:34 AM

Hi Ivan

Awaiting your response

Ivan Danchev
Telerik team
commented on 29 Mar 2023, 02:19 PM

Hi Sachin,

The documentation was updated with more information about the CSP support after the R1 2023 SP1. See the following section for more details on the new features introduced with this release, which allow you to remove 'unsafe-eval': https://docs.telerik.com/aspnet-mvc/html-helpers/helper-basics/content-security-policy#for-r1-2023-sp1-and-later-working-with-telerik-ui-for-aspnet-mvc-components

 

Sachin
Top achievements
Rank 1
commented on 14 Apr 2023, 09:34 AM | edited

Hi Ivan,

We are implementing new release for Kendo MVC for CSP changes. We removed unsafe-eval

below is sample code

CommonFunctions.BindFileroomGridColumn<FileroomModel, string>(
            columns: columns,
            bindExpression: p => p.BinderLevelButtons,
            clientTemplate: "",
            headerTemplate: "Options",
            isFilterable: false,
            isGroupable: false,
            isSortable: false,
            title: "",
            width: "80px",
            headerHtmlAttr: new { @class = "disable-resize", data_columnname = "binderlevelbuttons" },
            htmlAttr: new { @class = "binderbtn", data_columnname = "binderlevelbuttons",data_binderid = "#= BinderID #", data_isaccess = "#= E_Access #" },
            totalWidth: ref totalWidth);

Setting in .HtmlAttributes

When grid is loaded

we are not getting value of column binderid value, before removing unsafe-eval it was working

Before Removing unsafe-Eval

After Removing Unsafe-Eval

Please suggest

Ivan Danchev
Telerik team
commented on 14 Apr 2023, 10:34 AM

Hi Sachin,

For issues with the Grid, please submit a ticket with product Grid / UI for ASP.NET MVC in the ticketing system: https://www.telerik.com/account/support-center/contact-us/submit-ticket

 

Tags
DropDownList Grid
Asked by
Sachin
Top achievements
Rank 1
Answers by
Ivan Danchev
Telerik team
Share this question
or