Kendo and CSP. got error "This document requires 'TrustedHTML' assignment."

1 Answer 29 Views

General Discussions

1 Answer, 1 is accepted

answered on 02 Oct 2025, 11:17 AM

Hi Levon,

I performed some testing and was able to reproduce the described error message ("This document requires 'TrustedHTML' assignment") only when I enabled the require-trusted-types-for 'script' directive in the application. In general, this setting enforces the use of Trusted Types for DOM updates that involve HTML, such as assignments to innerHTML.

After additional troubleshooting, the error seems to also reproduce in a standalone Angular application with the require-trusted-types-for 'script' directive set, and when importing the KENDO_CHECKBOX (or KENDO_INPUTS) utility array.

On that note, it appears that the error is not directly related to the Kendo UI for Angular packages, but it emerges from the @progress/kendo-drawing package, which is a dependency of the Kendo UI for Angular Inputs:

https://www.telerik.com/kendo-angular-ui/components/inputs/installation/dependencies-and-utils#kendo-angular-inputs-dependencies

This means that the error also emerges when importing any other Kendo UI for Angular package in the project, which depends on @progress/kendo-drawing (e.g., KENDO_GRID, KENDO_CHARTS).

With the above being said, I logged the following bug report in our public GitHub repository:

https://github.com/telerik/kendo-angular/issues/4727

Feel free to subscribe to the above issue in order to stay notified of any updates regarding the resolution process of this bug. The issue can be used for tracking purposes, as it will be updated when there is any progress on the kendo-drawing bug.

As a small token of gratitude for reproting this bug, I have updated the Telerik points of your account.

I hope the provided information clears up the matter.

Regards,
Zornitsa
Progress Telerik

Your perspective matters! Join other professionals in the State of Designer-Developer Collaboration 2025: Workflows, Trends and AI survey to share how AI and new workflows are impacting collaboration, and be among the first to see the key findings.
Start the 2025 Survey

Levon

commented on 06 Oct 2025, 09:16 AM

Thank you very much for reviewing the mentioned issue deeply.
I would like to be informed about estimation/version fix would included.

Zornitsa

commented on 09 Oct 2025, 07:22 AM

Hi Levon,

I am happy to announce that a fix for the discussed bug has been released in v1.22.2 of the @progress/kendo-drawing package.

The version with the fix has been tested locally, and the CSP error no longer emerges. Feel free to test it out on your side as well, and see whether the error is now resolved.

Regards,
Zornitsa
Progress Telerik

Levon

commented on 09 Oct 2025, 09:49 AM | edited

Sorry, cannot aprove still got same error a bunch of This document requires 'TrustedHTML' assignment. while using (in m example) kendo grid.

here are header for CSP

default-src 'none';
font-src 'self';
script-src 'nonce-our-value' 'strict-dynamic' 'report-sample';
style-src 'nonce-our-value';
img-src 'self';
frame-src 'none';
frame-ancestors 'none';
connect-src 'self' our-domain.com;
object-src 'none';
base-uri 'self';
upgrade-insecure-requests;
require-trusted-types-for 'script';
trusted-types angular;



Is there anything extra needed o be setted up in kendo area?

Levon

commented on 09 Oct 2025, 10:42 AM

I wonder, does Kendo (KendoAngular) fully supports strict CSP/Trusted Types?