This is a migrated thread and some comments may be shown as answers.

Subresource Integrity

1 Answer 80 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
Dan Ehrmann
Top achievements
Rank 1
Dan Ehrmann asked on 10 Dec 2018, 04:13 PM

Subresource Integrity is a fairly new security scheme for protecting against malicious script obtained from third-party source (CDNs). It requires that the script tag include a hash of the script content so the browser can verify that it has not been altered.

Telerik controls generate a bunch of script tags for cloudfront.net. It would be swell if the script tags would include the extra attributes necessary to implement subresource integrity. Is this in the roadmap? 

Mozilla provides a security analysis tool which highlights this issue. Look at the results for telerik.com here

More info available here and here.

1 Answer, 1 is accepted

Sort by
0
Rumen
Telerik team
answered on 13 Dec 2018, 05:06 PM
Hi Dan,

Thank you for your valuable feature request!

We strongly suggest using the HTTPS CDN server since HTTPS is used to ensure that the connection between the user's browser and the web server is encrypted. 
Indeed, the benefit of the Subresource Integrity is that if the CDN server is tampered with malicious code, it will be delivered to the user, irrelevant if the connection is encrypted or not.

While it is not applicable for the old versions of the controls, because they are so many, we will definitely discuss the idea of introducing Subresource Integrity in a future release. I've logged the Subresource Integrity (CDN) feature request in the feedback portal to see how popular this idea will become.

I also updated your Telerik points for the nice feature request. 

Thank you once again!

Best regards,
Rumen
Progress Telerik
Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
Tags
General Discussions
Asked by
Dan Ehrmann
Top achievements
Rank 1
Answers by
Rumen
Telerik team
Share this question
or