Dan Ehrmann
Top achievements
Rank 1
Rank 1
Dan Ehrmann
asked on 10 Dec 2018, 04:13 PM
Subresource Integrity is a fairly new security scheme for protecting against malicious script obtained from third-party source (CDNs). It requires that the script tag include a hash of the script content so the browser can verify that it has not been altered.
Telerik controls generate a bunch of script tags for cloudfront.net. It would be swell if the script tags would include the extra attributes necessary to implement subresource integrity. Is this in the roadmap?
Mozilla provides a security analysis tool which highlights this issue. Look at the results for telerik.com here.
1 Answer, 1 is accepted
0
Hi Dan,
Thank you for your valuable feature request!
We strongly suggest using the HTTPS CDN server since HTTPS is used to ensure that the connection between the user's browser and the web server is encrypted.
Indeed, the benefit of the Subresource Integrity is that if the CDN server is tampered with malicious code, it will be delivered to the user, irrelevant if the connection is encrypted or not.
While it is not applicable for the old versions of the controls, because they are so many, we will definitely discuss the idea of introducing Subresource Integrity in a future release. I've logged the Subresource Integrity (CDN) feature request in the feedback portal to see how popular this idea will become.
I also updated your Telerik points for the nice feature request.
Thank you once again!
Best regards,
Rumen
Progress Telerik
Thank you for your valuable feature request!
We strongly suggest using the HTTPS CDN server since HTTPS is used to ensure that the connection between the user's browser and the web server is encrypted.
Indeed, the benefit of the Subresource Integrity is that if the CDN server is tampered with malicious code, it will be delivered to the user, irrelevant if the connection is encrypted or not.
While it is not applicable for the old versions of the controls, because they are so many, we will definitely discuss the idea of introducing Subresource Integrity in a future release. I've logged the Subresource Integrity (CDN) feature request in the feedback portal to see how popular this idea will become.
I also updated your Telerik points for the nice feature request.
Thank you once again!
Best regards,
Rumen
Progress Telerik
Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.