Kendo-CSP issue after upgrading Telerik R1 2023 version without using 'Unsafe' prefix?

1 Answer 159 Views
Grid
shiva
Top achievements
Rank 1
shiva asked on 19 May 2023, 07:58 AM

we are working to fix the issue with Kendo-CSP for ASP.Net MVC with jQuery Kendo UI. In our application currently, we are using Kendo grids, dropdowns, and popups.

Initially, we have implemented the below changes for CSP.

  • Update to jQuery 3.6.4
  • Generated the Dynamic nonce numbers and applied nonce for inline scripts
  • Ajax calls replaces with Jquery get/post methods.
  • Removed all styles and replaced them with bootstrap classes.
  • Onclik and Onchanges events replace with javascript addevent listeners.
  • added the Unsafe prefix in the configuration (waiting for the Kendo 2023 R1 version)

Recently we got a new version of Telerik R1 2023, Replaced the below files for Upgrade.

  • Kendo.mvc.dll
  • kendo.aspnetmvc.js
  • kendo.all.min.js

we tried with new changes of kendo, without Unsafe prefix but it's throwing dynamic script errors, kendo controles not working. Our assumption is there are dynamic inline script Generations for Kendo controls which not contains nonce which may cause an issue.

We also tried with Deferred-Script but no use.

we are facing console issues related to Style and Scripts. Help me out.

Thanks.

1 Answer, 1 is accepted

Sort by
0
Patrick | Technical Support Engineer, Senior
Telerik team
answered on 23 May 2023, 07:10 PM

Hi Shiva,

We have a dedicated article regarding UI for ASP.NET MVC CSP which provides more information about how to apply strict CSP with our components.  Additionally, Kendo UI for jQuery currently supports up to jQuery 3.6.1. 

Please take a look at these resources and let me know if you have any specific questions regarding the matter.

Regards,
Patrick | Technical Support Engineer, Senior
Progress Telerik

Stay tuned by visiting our public roadmap and feedback portal pages. If you're new to the Telerik family, be sure to check out our getting started resources, as well as the only REPL playground for creating, saving, running, and sharing server-side code.

shiva
Top achievements
Rank 1
commented on 31 May 2023, 11:40 AM

Thanks for response Patrick

  • I have updated jQuery as 3.6.1
  • I tried with differed script but still we are facing console issues. There is no much info on Template create for kendo grids. 

please help me out.

Thanks.

Patrick | Technical Support Engineer, Senior
Telerik team
commented on 01 Jun 2023, 03:02 PM

Hi Shiva,

I can see that you are already involved in the ongoing conversation with Vidya in a support ticket. To avoid duplicating efforts and branching conversation in multiple locations with multiple accounts, please keep this conversation in the same place. Additionally, I can assure you that you are already assigned to the most qualified engineer to assist. Just please make sure you reply to the specific ticket with the most recent information (Yes, you can reply in Vidya's case).

Thank you for your understanding in the matter.
shiva
Top achievements
Rank 1
commented on 22 Jun 2023, 01:45 PM

Have you successfully implemented Content Security Policy (CSP) in your ASP.NET MVC application that utilizes Kendo UI? If so, could you please share your experience and any challenges you faced during the implementation process?
Patrick | Technical Support Engineer, Senior
Telerik team
commented on 23 Jun 2023, 06:35 PM

I can confirm we currently have a feature request specific to the removal of the unsafe-inline requirement from Telerik MVC styles for CSP compliance.  I have added a vote on your behalf to escalate the issue.  Please feel free to follow it for potential updates, and provide any feedback/comments within that thread for the developer community.
Tags
Grid
Asked by
shiva
Top achievements
Rank 1
Answers by
Patrick | Technical Support Engineer, Senior
Telerik team
Share this question
or