Subresource Integrity

2 posts, 0 answers
  1. Dan Ehrmann
    Dan Ehrmann avatar
    166 posts
    Member since:
    Jul 2004

    Posted 10 Dec 2018 Link to this post

    Subresource Integrity is a fairly new security scheme for protecting against malicious script obtained from third-party source (CDNs). It requires that the script tag include a hash of the script content so the browser can verify that it has not been altered.

    Telerik controls generate a bunch of script tags for cloudfront.net. It would be swell if the script tags would include the extra attributes necessary to implement subresource integrity. Is this in the roadmap? 

    Mozilla provides a security analysis tool which highlights this issue. Look at the results for telerik.com here

    More info available here and here.

  2. Rumen
    Admin
    Rumen avatar
    14437 posts

    Posted 13 Dec 2018 Link to this post

    Hi Dan,

    Thank you for your valuable feature request!

    We strongly suggest using the HTTPS CDN server since HTTPS is used to ensure that the connection between the user's browser and the web server is encrypted. 
    Indeed, the benefit of the Subresource Integrity is that if the CDN server is tampered with malicious code, it will be delivered to the user, irrelevant if the connection is encrypted or not.

    While it is not applicable for the old versions of the controls, because they are so many, we will definitely discuss the idea of introducing Subresource Integrity in a future release. I've logged the Subresource Integrity (CDN) feature request in the feedback portal to see how popular this idea will become.

    I also updated your Telerik points for the nice feature request. 

    Thank you once again!

    Best regards,
    Rumen
    Progress Telerik
    Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
Back to Top