Rank 1
Is the following error because kendo is using eval() in some areas?
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://maps.googleapis.com 'sha256-FCclJ10YV/xEc9PbnYcWzMs7Mw9DRGVf31pHhGF1jtp='".
at Function (<anonymous>)
at Object.getter (kendo.all.min.js:26:455)
at init.get (kendo.all.min.js:27:21790)
at new e (ScheduleDsb.tsx:367:30)
at 125 (DyScheduleTimeline.tsx:67:46)
at i (scheduler:1:1815)
at r (scheduler:1:1684)
at Array.t [as push] (scheduler:1:1547)
at main.358cb176.chunk.js:1:73
getter @ kendo.all.min.js:26
get @ kendo.all.min.js:27
e @ ScheduleDsb.tsx:367
125 @ ScheduleTimeline.tsx:67
i @ scheduler:1
r @ scheduler:1
t @ scheduler:1
(anonymous) @ main.358cb176.chunk.js:1Following are some details on the version we are using.
"dependencies": {
"@progress/kendo-ui": "^2021.3.1207",
"@types/node": "^12.20.15",
"@types/react": "^17.0.11",
"moment": "^2.29.4",
"react": "^17.0.2",
.
.
.
}
"devDependencies": {
"@types/jquery": "^3.5.5",
.
.
.
}1 Answer, 1 is accepted
Hi, Sanal,
Kendo UI supports strict CSP as of version R1 2023, so for all versions released before that (as "^2021.3.1207" used by you) you will have to add the unsafe-eval keyword as a part of the meta tag that is used for enabling the CSP mode:
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval' 'self' https://kendo.cdn.telerik.com;">Hope this helps.
Regards,
Vessy
Progress Telerik
Rank 1
The Kendo UI for jQuery R1 2023 release addresses the
unsafe-eval directive for all components except for the Spreadsheet.We are using excel feature, does the above statement indicate that I would still have to use unsafe-eval?
Also, can I have you suggestion on a part, just to get an idea. is it feasible to update to the latest version? Will there be any major breaking changes if I decide to update? We are planning to create a completely new version a couple years later. Do you think it is worth the effort?
Hi, Snala,
Yes, your understanding about the quoted statement is correct - you will need to use `unsafe-eval` even with the latest version in this scenario.
As for the upgrade - yes, my personal opinion is that sticking to the latest version is always a good idea as you get the latest fixes, the newest features, etc. For a smoother upgrade, you can check the backwards compatibility section of the Kendo UI for jQuery documentation and see how the changes introduced between the used by you and the latest version affect your application:
- https://docs.telerik.com/kendo-ui/backwards-compatibility/2023-backward-compatibility
- https://docs.telerik.com/kendo-ui/backwards-compatibility/2022-backward-compatibility
- https://docs.telerik.com/kendo-ui/backwards-compatibility/2021-backward-compatibility
Regards,
Vessy