Kendo-ui-core: Add an option to disable IE8 support in editor or don't run IE8-specific code in other browsers

Created on 14 Mar 2018  路  14Comments  路  Source: telerik/kendo-ui-core

Bug report

Reproduction of the problem

Add editor to a page with CSP directive blocking inline scripts.

Current behavior

Editor._createContentElement appends IE8-specific script to editor iframe for all browsers, which leads to CSP violation error.

Expected/desired behavior

This script should be loaded only for IE8 or editor/kendo should have an option to disable IE8 support.

Environment

  • Kendo UI version: 2018.1.117
  • jQuery version: 3.2.1
  • Browser: Chrome 67
Bug Editor Priority 2 High jQuery2

Most helpful comment

Any version after R2 2018 (2018.2.516) includes the fix.

All 14 comments

@ivanchev @nenchef what do you think?

Hi @MaceWindu, I assume you refer to this piece of code:

domainScript +
"<script>(function(d,c){d[c]('header'),d[c]('article'),d[c]('nav'),d[c]('section'),d[c]('footer');})(document, 'createElement');</script>" +

and the CSP error about the unsafe-inline rule.

Even if the script injection is removed, the same CSP error will be still thrown. You can check that out here: https://dojo.telerik.com/iRaXUWUy.

Generally, in addition to that article here (https://docs.telerik.com/kendo-ui/troubleshoot/content-security-policy), the 'unsafe-inline' directive should be added to the CSP meta in order to run the Kendo UI widgets in your app.

<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'unsafe-eval' 'self' https://kendo.cdn.telerik.com;">

https://dojo.telerik.com/iRaXUWUy/3

nope, it shouldn't as we don't support IE8

Also you receive CSP error in your example, because dojo.telerik.com use inline scripts in sandbox iframe, not because of editor

If you will add nonce for this script ('sha256-W6PMrlpsyvZcMeXLF8Wioj7EU1a/naAZtzS6G4/BOks='), you will see that it doesn't produce any errors anymore (except those from _createElement)

The statement above was tested not in a dojo, but in a local sample solution. The ('sha256-W6PMrlpsyvZcMeXLF8Wioj7EU1a/naAZtzS6G4/BOks=') directive is the same as 'unsafe-inline' like the one already suggested.

The dojo shows only a way to remove the mentioned script injection and test it out on your local app. That way you will be able to observe if the CSP error is gone or not.

Also, even if you add a simple Kendo Button to the page, without Editor, the 'unsafe-inline' will be still an issue. Thus, you will need to add it to the CSP directives for the local JS files and the Telerik CDN in order to have the widgets running properly.

Sorry, but I don't see any sense continuing this discussion. We use strict CSP policy for several years already without any issue with kendo ui. This report was submitted to relieve us from burden of patching kendo on each new release.
Suggesting to use unsafe-inline is almost the same as suggesting disable CSP. It defeats almost all of its benefits.

Also I would recommend to read more about CSP to not make statements like "('sha256-W6PMrlpsyvZcMeXLF8Wioj7EU1a/naAZtzS6G4/BOks=') directive is the same as 'unsafe-inline' "

I am sorry, I did not chose the best wording. The SHA represents the encoded injection to be allowed, which leads to similar results to 'unsafe-inline' directive. Of course, it is better to use the SHA, but the injection might change in time and cause the same issues again.

I will continue the investigation and address the problem. But still, in my opinion, this is not a matter of Kendo Editor supporting IE8, but some general case with all Kendo widgets. If there is a way to prevent this CSP error I will reopen this issue so that you get notified.

After some extensive digging into the issue it appears that there are other parts of the Editor logic that cause the CSP errors. I am reopening the issue here so that we can continue working on fixing the CSP errors.

Glad to see it reopened. Sorry for some harsh wording, but I was really upset with it closed without proper research.

I suspect by other issues you probably mean one mentioned here: https://github.com/telerik/kendo-ui-core/issues/4085

Some information that could be helpfull:

We don't use all kendo ui controls, but except two issues with editor, we don't have any issues with policy like below for following controls: editor, charts, gantt.
Also file upload control with IE9- iframe upload method will need changes to allow it (we don't support this version of IE, so we don't have it in our CSP policy).
Also note that CSP behavior right now is much better than 2 years ago. A lot of bugs were fixed by browsers, still you can observe inconsistent behavior between different browsers or even same browser on windows/osx.

base-uri <our_address>; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'none'; frame-ancestors 'none'; img-src 'self'; report-uri <our_report_uri>; require-sri-for script; script-src 'self' 'report-sample' 'unsafe-eval' 'sha384-for_some_non_kendo_stuff'; style-src 'self' 'unsafe-inline'

note that we don't have require-sri-for styles, as it is not possible right now to configure it for custom editor styles.

Yes, the iframe.src manipulation is considered as injection too and that lead me to the incorrect assumptions.

As this is tagged as a bug, the fix will be included in the next available LIB version and released with the upcoming release of Kendo UI for Vue.

Sorry to post to the old thread, but where can I find which version has this fixed?

Any version after R2 2018 (2018.2.516) includes the fix.

Was this page helpful?
0 / 5 - 0 ratings