This is a migrated thread and some comments may be shown as answers.

Kendo elements not working without using unsafe-eval

3 Answers 641 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
Srijita
Top achievements
Rank 1
Srijita asked on 16 Aug 2018, 02:24 PM
I am facing a problem for kendo UI element(Dropdown, MultiSelect, Grid etc. ) in our application where we are implementing Content Security Policy(CSP) in the application. We need to give “unsafe-eval” Value to CSP so that the kendo elements work on the page . But using"unsafe-eval" violates the content security policy. Without the "unsafe-eval" the kendo elements don’t work. Is there any work around if we don’t want to include “unsafe-eval” and all kendo elements should work as expected ?

3 Answers, 1 is accepted

Sort by
0
Konstantin Dikov
Telerik team
answered on 20 Aug 2018, 06:03 AM
Hi Srijita,

The template mechanism of Kendo UI uses "eval", which means that the strict CSP mode is not supported. More information on this matter is available in the following help topic:

Best Regards,
Konstantin Dikov
Progress Telerik
Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
0
Karina
Top achievements
Rank 1
answered on 10 Dec 2019, 12:15 PM

Hello, are you planning to remove the unsafe-eval as part of the content security policy?

https://docs.telerik.com/kendo-ui/troubleshoot/content-security-policy

We need to remove this option from our website and we can't due Kendo library.

Thanks,

 

 

0
Petar
Telerik team
answered on 12 Dec 2019, 11:03 AM

Hi Karina,

I've just answered your question in this thread: https://www.telerik.com/forums/kendo-elements-not-working-without-unsafe-eval

If you want to discuss something else related to the CSP support, let's continue the communication in the linked above thread. 

Regards,
Petar
Progress Telerik

Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
Alpi
Top achievements
Rank 1
commented on 06 Sep 2021, 02:31 PM

Hi Team,

We was using kendo by "unsafe-eval" Content-Security-Policy header. Now we have to remove "unsafe-eval" and "unsafe-inline" from our Content-Security-Policy header because of some security issues. Is there any way to achieve the same functionality without using "unsafe-eval" .

Thanks in advance

Neli
Telerik team
commented on 08 Sep 2021, 09:30 AM

Hi Alpi, 

The 'unsafe-eval' is still needed as described in the Content Security Policy article linked below:

- https://docs.telerik.com/kendo-ui/troubleshoot/content-security-policy

As there is a related Feature Request in our official Feedback Portal I would suggest you cast a vote for it:

- https://feedback.telerik.com/kendo-jquery-ui/1359789-csp-support

Regards,

Neli

Tags
General Discussions
Asked by
Srijita
Top achievements
Rank 1
Answers by
Konstantin Dikov
Telerik team
Karina
Top achievements
Rank 1
Petar
Telerik team
Share this question
or