Kendo and CSP. got error "This document requires 'TrustedHTML' assignment."

1 Answer 29 Views
General Discussions
Levon
Top achievements
Rank 1
Iron
Iron
Levon asked on 29 Sep 2025, 01:40 PM

How to deal with strict rules at Content security policy are.

Using Angular 20 and Kendo 20 Version. 
Currently just importing "CheckBoxModule" (only) in NgModule of application got error in console

This document requires 'TrustedHTML' assignment.
Uncaught TypeError: Failed to set the 'innerHTML' property on 'Element': This document requires 'TrustedHTML' assignment


When removing the error disappear and application works.

1 Answer, 1 is accepted

Sort by
0
Zornitsa
Telerik team
answered on 02 Oct 2025, 11:17 AM

Hi Levon,

I performed some testing and was able to reproduce the described error message ("This document requires 'TrustedHTML' assignment") only when I enabled the require-trusted-types-for 'script' directive in the application. In general, this setting enforces the use of Trusted Types for DOM updates that involve HTML, such as assignments to innerHTML.

After additional troubleshooting, the error seems to also reproduce in a standalone Angular application with the require-trusted-types-for 'script' directive set, and when importing the KENDO_CHECKBOX (or KENDO_INPUTS) utility array.

On that note, it appears that the error is not directly related to the Kendo UI for Angular packages, but it emerges from the @progress/kendo-drawing package, which is a dependency of the Kendo UI for Angular Inputs:

This means that the error also emerges when importing any other Kendo UI for Angular package in the project, which depends on @progress/kendo-drawing (e.g., KENDO_GRID, KENDO_CHARTS).

With the above being said, I logged the following bug report in our public GitHub repository:

Feel free to subscribe to the above issue in order to stay notified of any updates regarding the resolution process of this bug. The issue can be used for tracking purposes, as it will be updated when there is any progress on the kendo-drawing bug. 

As a small token of gratitude for reproting this bug, I have updated the Telerik points of your account.

I hope the provided information clears up the matter.

Regards,
Zornitsa
Progress Telerik

Your perspective matters! Join other professionals in the State of Designer-Developer Collaboration 2025: Workflows, Trends and AI survey to share how AI and new workflows are impacting collaboration, and be among the first to see the key findings.
Start the 2025 Survey
Levon
Top achievements
Rank 1
Iron
Iron
commented on 06 Oct 2025, 09:16 AM

Thank you very much for reviewing the mentioned issue deeply. 
I would like to be informed about estimation/version fix would included.
Zornitsa
Telerik team
commented on 09 Oct 2025, 07:22 AM

Hi Levon,

I am happy to announce that a fix for the discussed bug has been released in v1.22.2 of the @progress/kendo-drawing package.

The version with the fix has been tested locally, and the CSP error no longer emerges. Feel free to test it out on your side as well, and see whether the error is now resolved.

Regards,
Zornitsa
Progress Telerik
Levon
Top achievements
Rank 1
Iron
Iron
commented on 09 Oct 2025, 09:49 AM | edited

Sorry, cannot aprove still got same error a bunch of This document requires 'TrustedHTML' assignment. while using (in m example) kendo grid.

here are header for CSP

default-src 'none';
font-src 'self';
script-src 'nonce-our-value' 'strict-dynamic' 'report-sample';
style-src 'nonce-our-value';
img-src 'self';
frame-src 'none';
frame-ancestors 'none';
connect-src 'self' our-domain.com;
object-src 'none';
base-uri 'self';
upgrade-insecure-requests;
require-trusted-types-for 'script';
trusted-types angular;



Is there anything extra needed o be setted up in kendo area?
Levon
Top achievements
Rank 1
Iron
Iron
commented on 09 Oct 2025, 10:42 AM

I wonder, does Kendo (KendoAngular)  fully supports strict CSP/Trusted Types?
Tags
General Discussions
Asked by
Levon
Top achievements
Rank 1
Iron
Iron
Answers by
Zornitsa
Telerik team
Share this question
or