Kendo-ui-core: CSP

Created on 23 Nov 2018  路  4Comments  路  Source: telerik/kendo-ui-core

Kendo really should support CSP

I propose to use a precompilation step for the templates and not using any templates internally (but Functions instead), so that users that do not use templates at all can use kendo without any setup and the others need a compilation step that extracts the templates, compiles them and puts them in a file to be included (that would then serve as a cache for the templates).

CSP is getting more and more important, and browser support is very good. It is a great technology against XSS: https://developer.chrome.com/extensions/contentSecurityPolicy#relaxing-eval

In addition, in kendo.list.js there is a really unnecessary (at least for me, maybe it is for performance reasons) use of new Function, please have a look at that one.

jQuery1 jQuery2

Most helpful comment

A first step would be to refactor the
unsafe_eval
stuff

All 4 comments

Thank you for the feedback.

First of all, there are indeed a few places in our code, where eval/new Function is used, when it could easily be refactored, and we'll look into that.

The other suggestion is however not so straightforward. CSP is important, and we should do everything in our power to support it. However the templates implementation as it currently stands is one of the backbones of the Kendo UI library, and changing the way it works might have serious implications (aside from the user having the option to define templates, they are also defined internally throughout the suite). Breaking changes, such as asking the client to include template files, is almost unthinkable, due to the reach of KendoUI and the number of working projects it's in.

What we could instead focus on is perhaps the other direction - how to provide a way to setup KendoUI to be fully CSP compatible. The current roadmap is already full, and we'll probably not have time to investigate this in the next few months, but we'll definitely keep this in our TODO.

Thank you again for raising the issue, and we can post here any updates on our side.

Thank you for your feedback!

I agree that this should be implemented as an opt-in feature, and this must not be breaking. As I had to make Kendo CSP-compliant, I did the following:

I went to kendo.core.js and logged every template here and the resulting new Function definition in a way I could copy-paste it to a file which I then used as a cache, similar to the expression cache . Not nice, but for me, it worked :) But I have to state that I only needed the TreeList Component and the Editor Component to be working, at there were already around 50 such templates... Now I think one could automate that step for those who are like me and just have to make it work somehow - totally backwards compatible.

In addition, I patched the mentioned kendo.list.js

A first step would be to refactor the
unsafe_eval
stuff

Any news on this one?

Was this page helpful?
0 / 5 - 0 ratings