Hi,
We are using Kendo controls for MVC. There was a security scan done in our application, it capture few of the security issues.
We are able to fix all of the security issues except one.
CWE 829 - The application contains unsafe Content-Security-Policy (CSP) directives that could allow malicious script code to be included on the page.
So, as a result we have removed all the custom inline javascript and css to an external files and refer those external .js and .css files in our .cshtml page.
But when we use any of the Kendo controls like Kendo grid or Kendo calendar then in the runtime it create some inline scripts and we are getting application contains unsafe Content-Security-Policy (CSP) directives.
How to bypass those runtime inline scripts created by Kendo controls so that we don't get unsafe Content-Security-Policy (CSP) directives
during the security scan of the application.
Please let me know if you need any more information on this.
1 Answer, 1 is accepted
Hi Abdul,
Thank you for reaching out.
The Telerik UI for MVC and the Kendo UI for jQuery support CSP compatibility:
https://www.telerik.com/aspnet-mvc/documentation/html-helpers/helper-basics/content-security-policy
To activate it, you can enable the <meta> tag provided in the article above and some changes in Global.asax and web.config files:
https://www.telerik.com/aspnet-mvc/documentation/html-helpers/helper-basics/deferred-initialization#deferring-components-globally
The only error you will see in the console is coming from the Trial message:
Which will go off when you are using the licensed assembly.
Please download and run the sample and let me know if you find this information helpful.
Regards,
Eyup
Progress Telerik
Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.
Rank 2
Iron
Iron
Hi Eyup,
Thanks for your response. We have tried and its working for simple Kendo controls. For example when we have few textbox,
kendo dropdowns and buttons its working properly.
We have another scenario, where we have Kendo Tab strip inside the kendo Tabstrip we have kendo dropdown
and kendo grids. In this scenario when we try to load tab strip it is loading properly but when we are trying to load kendo
dropdows or kendo grids it is not loading and returning undefined.
Can you please let us know how to load the child controls inside a parent.
This is how we load our kendo controls in external JavaScript files and kendo controls are in .cshtml file and
referencing the external JavaScript file in .cshtml page.
var sampleDateDt= $("#sampleDate").data("kendoDatePicker");
var ddlStates= $("#states").data("kendoDropDownList");
I am glad the provided assistance has proven helpful.
As for the new question and more complex cases, you can check the specially designed component called Template:
https://demos.telerik.com/aspnet-core/template/integration-grid
It was introduced exactly for CSP scenarios.
If there are further questions on this matter, please feel free to open a new ticket so we can keep the threads organized and focused on specific questions.