[Solved] How to resolve missing Sub Resource Integrity Attribute from kendo.all.min.js?

1 Answer 58 Views

Security

1 Answer, 1 is accepted

answered on 09 Apr 2026, 06:00 AM

Hi Sachith,

Thank you for the details provided.

The Kendo UI for ASP.NET MVC library does not provide a built-in way to add a Subresource Integrity (SRI) attribute for scripts like pdf.worker.mjs that are loaded internally by kendo.all.min.js from the CDN. This is a limitation because the resource is loaded dynamically and the SRI attribute cannot be set.

To address this, you can host pdf.worker.mjs locally within your application and configure Kendo UI to load it from your server instead of the CDN. This way, you have full control over the file and can ensure its integrity. Here’s how you can do it:

Download pdf.worker.mjs from the CDN and place it in your project, for example under /Scripts/pdf.worker.mjs.

Configure Kendo UI to use the local worker file. If you are using the PDF export feature, set the worker URL as follows:

kendo.pdf.defineWorker('/Scripts/pdf.worker.mjs');
Ensure your application serves this file securely and, if needed, you can further control its integrity by managing your deployment process.

Kind Regards,
Anton Mironov
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.

Sachith

commented on 16 Jun 2026, 07:53 AM

Hi Anton,

Thank you for the workaround and We are currently planning to do the above change. but we have a follow up question.
Even after hosting pdf.worker.mjs locally, kendo.all.min.js file has the pdf.worker.mjs CDN reference internally. ZAP will still flag the pdf worker Kendo CDN scripts. Can you tell us is there anything to do to handle this scenario?

Thank you.

Neli

commented on 18 Jun 2026, 11:56 AM

Hi Sachith,

By explicitly setting the worker source to your local file (using window.pdfjsLib.GlobalWorkerOptions.workerSrc or the relevant PDFViewer configuration), you ensure that your application loads the local worker script at runtime. This mitigates the actual security risk, as the CDN file is not requested.

If you want to avoid the kendo.all.min.js script and its internal references entirely, you can load only the required scripts for PDFViewer as modules. For example:

<script src="/Scripts/pdf.mjs" type="module"></script>
<script src="/Scripts/pdf.worker.mjs" type="module"></script>
<script src="/Scripts/kendo.pdfviewer-common.cmn.chunk.js" type="module"></script>
<script src="/Scripts/kendo.pdfviewer.js" type="module"></script>

As long as your application is configured to load the local worker and no network requests are made to the CDN at runtime, the risk is mitigated from a functional perspective.

However regarding the ZAP flag, a practical option is to mark the ZAP finding as a false positive, since it is matching a string literal, and to set pdfjsLib.GlobalWorkerOptions.workerSrc to your locally hosted pdf.worker.mjs before initializing the PDFViewer so that code path is never reached at runtime.

I hope this helps.

Regards,
Neli
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.