Hello, are you planning to remove the unsafe-eval as part of the content security policy?
In this documentation is saying that this is required
https://docs.telerik.com/kendo-ui/troubleshoot/content-security-policy
We need to remove this option from our website and we can't due Kendo library. Are you going to change this requirement in some of the upcoming version?
Thanks,
1 Answer, 1 is accepted
Hi Karina,
At this time we don't have plans for changing the currently used Content security policy.
You can read more details about our CSP Support in the following link: https://feedback.telerik.com/kendo-jquery-ui/1359789-csp-support .
Regards,
Petar
Progress Telerik
Rank 1
Hello,
our company is developing a digital gateway for government authorities and our customers are demanding the usage of the content security policy header in our application. Due to a recent change in our customer’s security policies, we are no longer allowed to use the unsafe-eval keyword in the HTML header. Is it possible to use Kendo UI MVC or parts of Kendo UI jQuery/MVC without the usage of unsafe-eval? Or are we forced to search for a replacement of KendoUI jQuery/MVC?
Thanks
Hello,
With the R1 2023 release, you no longer need to use unsafe-eval. However, in order to achieve CSP compatibility, you will need to make sure that any templates you are using in your project are re-written as per the guide in the CSP-Compatible templates article:
https://docs.telerik.com/kendo-ui/intro/widget-basics/content-security-policy
https://docs.telerik.com/kendo-ui/framework/templates/get-started-csp-templates
Let me know if you have any further questions.