Hi team,
I need to know the real status of CSP for jQuery kendo UI.
Sorry but documentation is unclear. Ok for the unsafe-eval directive. But what about the unsafe-inline directive for script-src AND style-src?
Thank you,
Laurent.
1 Answer, 1 is accepted
Hello, Laurent,
At this point we are fully CSP compatible with the exception for the Spreadsheet. If you are experiencing any issues, please provide further details or a runnable example where we can investigate.
Regards,
Martin
Progress Telerik
Hi Martin,
Thank you for the clarification.
Regards,
Laurent.
Hi Martin,
Regarding the kendo editor, some text enrichment produce style attributes, for instance when using "align text left" or "align text right". In this case, how can it be fully CSP compliant?
Regards,
Laurent.
Hello, Laurent,
The Editor provides a nonce configuration which you can include in the meta tag. Here is a small example for reference, the script nonce attribute can be avoided in your actual project if you are importing the JS code.
Hi Martin,
Thank you for your prompt response.
Unfortunately, even using a nonce won't make it work with inline style attributes. The nonce only applies to the <style> block in the iframe document head (see screenshot). All the generated style attributes will cause errors. Don't know exactly why but not all the errors are thrown in the dojo environment. But if you play a bit with the editor you'll get errors.
Best regards,
Laurent.
Hi Laurent,
The Editor does not strip out the inline styles of its content by default because it would affect the content itself, when used in a less strict environment.
With that said, you can either create a custom serializer that would strip always the styles and allow only plain text in the editor, or just ignore the CSP errors.
The CSP errors does not affect anything on the page, they just notify you that an inline style would not be applied, although it is present. That would still allow you to copy the correctly decorated elements in case you want to use them in an environment with less strict CSP rules.
Also, suppose you want to have formatted content. In that case, we recommend using unsafe-inline only for the styles, as that would not pose such a threat.
That is especially true when the other CSP settings are setup correctly, meaning even if a malicious URL is used as a background URL, the call would be automatically blocked by the cross-domain CSP rules.
As for the nonce attribute, it would not be applicable to the contents of the Editor as the value of the nonce attribute is supposed to be different on each page load, hence the saved content with old nonce attribute values would again be invalid.
Hi Peter,
Thank you for your prompt and complete response.
Think the documentation should state that Editor can't be fully CSP compliant due to its nature.
Best regards,
Laurent
Hi Laurent,
We will consider adding a note in the documentation that the Editor component itself is fully compliant. Still, its content is not, as the users by default do not have restrictions to add only compliant content.
The developers can force the content to be fully compliant via a custom serializer, but that would affect all formatting and styling of the content.