In Windows 10 there is a feature(and a policy that applies the feature), which blocks the so-called "untrusted fonts". Untrusted fonts mean any font not installed %windir%/fonts, including web fonts.
With this feature enabled (or the policy applied) custom fonts, such as font icons will not be loaded regardless of the provider. Hence, font icons used by Kendo UI, Kendo UI for Angular and Telerik UI for ASP.NET AJAX, MVC, Core will not be loaded.
More information about the Windows 10 feature that blocks the untrusted font icons could be found below:
24 Answers, 1 is accepted
So the unfortunate solution would be to use the last Kendo UI version (2016 version) that used images instead of font icons?
I'm using Kendo UI on sites accessed by government persons and since we don't have control over how their networks may configure their machines, if they are blocking untrusted fonts (which can be done in Windows 7 as well) then there is no way we could ever use a Kendo UI version beyond the last 2016 ver.
I like font icons, but can't justify paying for licenses for future versions when I know that portions of my user base may never be able to use font icons for the foreseeable future, thus making Kendo UI somewhat unusable in my world.
as of now we don't really have an answer for that question.
We are evaluating a couple of options, namely, providing an alternative stylesheet that uses image icons or employing svg icons, with both having their ups and downs.
The ups for image icon alternative are that images are unlikely to be disabled as technology anytime soon, unless you are browsing in windows high contrast mode with a browser lower than Edge. The downs are that we need at least 3 sprites for the task and a workaround for the aforementioned high contrast mode.
The ups for svg is that it doesn't suffer from the high contrast issue; it's scalable; controllable by css (if made the correct way)... The downs are higher markup payload; couple of browser issues to name a few.
As soon as we have chosen a direction, we'll update this thread with our intended resolution.
Regards,
Ivan Zhekov
Telerik by Progress
With that in mind it seems, that the policy will be either removed or needs to be disabled without any security consequences. Note: according to the last comment, disabling the policy does not enable font downloading (which is another security policy).
We'll monitor closely the development of the issue and if need be, we'll provide a fix.
Regards,
Ivan Zhekov
Progress Telerik
Just to be on the same page, Untrusted font blocking policy differs from Allow font download policy. The former disabled use of fonts not located within windir/fonts directory (for any Microsoft app), while the latter simply doesn't download any fonts (in Internet Explorer and Edge).
Regards,
Ivan Zhekov
Progress Telerik
I don't know if this applies to the other folks who have posted on this thread, but I can attest to the fact that government entities are usually much slower at adopting and implementing change; especially if there is any potential security risk (real or perceived) involved. So if they can still block font icons in any way, they probably will and if that is the case, then my original point still stands - using Kendo UI beyond 2016 version has an inherent use risk in this regard because of the sole reliance on font icons for visual cue, thus making it somewhat unusable to support government clients.
I do understand that you have no plans for a fix at this time and that you would have to make product decisions looking forward, just wanted to express that, in the scenario of font icons, making them the only option causes some grief.
Looks like
Kendoui for external website is not a good choice going forward. I would not
recommend Kendoui to anybody. Many of my clients are not seeing any icons in
the grid, dropdowns and so on. I had a fix for my personal icons with a .svg
alternative, but kendo seems to be impossible to fix. I am not in a position to
go back to a version before 2016 too.
I wish Telerik will provide a work around at the earliest.
From the clarifications in the comments it also seems that the policy applies to IE 11 only, so another option would be to use Edge browser (comes with all windows 10 installations).
The best way to resolve the issue would be to upgrade to that version, or if a newer is available.
If that is not applicable at this time, there are other ways to resolve the issue: if the issue is happening in a controlled environment, apps can be excluded from the mitigation policy, as described in the Block untrusted font documentation (https://docs.microsoft.com/en-us/windows/threat-protection/block-untrusted-fonts-in-enterprise).
It's worth noting that the MS staff is responding quite swiftly, so questions related to enabling / disabling the policies, as well as the scope of the policies could be directed at either at the blog post, or the documentation article.
For the time being, it's not feasible to change our font icons to svg icons, because it's resource consuming and the benefit will be only for those affected e.g. the rest of the customers will not see almost any difference.
Proving an image sprites is also not an option, because some themes don't have them at all; and all themes use font icons for certain controls.
Regards,
Ivan Zhekov
Progress Telerik
From the clarifications in the comments it also seems that the policy applies to IE 11 only, so another option would be to use Edge browser (comes with all windows 10 installations).
The best way to resolve the issue would be to upgrade to that version, or if a newer is available.
If that is not applicable at this time, there are other ways to resolve the issue: if the issue is happening in a controlled environment, apps can be excluded from the mitigation policy, as described in the Block untrusted font documentation (https://docs.microsoft.com/en-us/windows/threat-protection/block-untrusted-fonts-in-enterprise).
It's worth noting that the MS staff is responding quite swiftly, so questions related to enabling / disabling the policies, as well as the scope of the policies could be directed at either at the blog post, or the documentation article.
For the time being, it's not feasible to change our font icons to svg icons, because it's resource consuming and the benefit will be only for those affected e.g. the rest of the customers will not see almost any difference.
Proving an image sprites is also not an option, because some themes don't have them at all; and all themes use font icons for certain controls.
Regards,
Ivan Zhekov
Progress Telerik
[/quote]
Any ideas why we do not have the problem when using kendo CDN ?
The following is just speculation and should be taken with a grain of salt.
Back in the days, when IE 10 and 11 became available some versions of .net framework were not able to recognize them as such. So to target this Microsoft had set up a site that contained definitions of many sites and instructed IE 10/11 to spoof another browser string. Among those sites were all of Telerik domains. In other words, if you had hosted a single page on demos.telerik.com and on arandomsite.com, you would get different experience when opening it with the same browser.
So here is the speculation: perhaps, there is the same rule that allows fonts from certain sites to be processed. But that's just a speculation.
And also, in our Sass themes (and their less counterparts) we embed the fonts within the styles (as base64 data url). We have not verified if such fonts would be blocked.
So depending on the actual scenario, any of the following is possible:
* the policy is no longer applied
* the policy is applied, but the kendo cdn is white listed
* the policy is applied, but white lists all embedded fonts
Regards,
Ivan Zhekov
Progress Telerik
could you test with the new sass based themes, either kendo-theme-default or kendo-theme-bootstrap, which have embedded font icons as base64 resources. If the problem persists, then the only solution would be downgrade. If the issue is fixed, we'll iterate over the less themes to embed the font as well.
Regards,
Ivan Zhekov
Progress Telerik
Well I worked around the issue by adding to the specific classes a background image which was identical to the font image. In IE you see these images in other browsers the overlay is unnoticed as it is identical in position and size. It was a PIA but this seemed the least disruptive.
I would like to see Telerik address this in a more formal manor as IE still accounts for a large base for many companies.
SASS based themes are all themes available for KendoUI for Angular and Default v2 and Bootstrap v4 in KendoUI for jQuery. We are afraid that there is no update about a new workaround or planning of providing a fix for this moment.
Regards,
Magdalena
Progress Telerik
Thank you for the feedback provided. I will forward the suggestion to the development team for further discussion.
Regards,
Dimitar
Progress Telerik
I am glad things worked out.
One last thing -- when you said that you needed to tweak the CSP, that rang a bell in a colleague of mine and he referred me to this article: https://docs.telerik.com/devtools/aspnet-ajax/general-information/troubleshooting/content-security-policy. (We'll update the article to include the aforementioned "data:" part, obviously) But I wanted to ask you if the fonts would be loaded if you set the CSP meta tag as in the article?
Regards,
Ivan Zhekov
Progress Telerik
It is not considerable for us to switch from LESS to SASS right now.
You have a point. While we do have our hands full with features for 2018 R2, we'll do our best to make up some time to embed the fonts.
Regards,
Ivan Zhekov
Progress Telerik
We have logged a task concerning the discussed security policy in the Kendo UI GitHub repository - issue #4208. We will update the item with additional details as soon as possible.
In the mean time, there is a provided workaround in the issue that might be used as a temporary solution.
Regards,
Dimitar
Progress Telerik