From 38735fa6b5b4a75a19b33e43096ceaf9f7b44193 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 10 Sep 2024 13:49:33 +0300 Subject: [PATCH] Added new kb article content-security-policy-telerik-ui-aspnet-ajax (#595) Co-authored-by: KB Bot --- ...-security-policy-telerik-ui-aspnet-ajax.md | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 knowledge-base/content-security-policy-telerik-ui-aspnet-ajax.md diff --git a/knowledge-base/content-security-policy-telerik-ui-aspnet-ajax.md b/knowledge-base/content-security-policy-telerik-ui-aspnet-ajax.md new file mode 100644 index 000000000..d9f77bbb1 --- /dev/null +++ b/knowledge-base/content-security-policy-telerik-ui-aspnet-ajax.md @@ -0,0 +1,65 @@ +--- +title: Understanding CSP Support with Telerik UI for ASP.NET AJAX +description: Explore how Telerik UI for ASP.NET AJAX aligns with Content Security Policy (CSP) directives and the impact on web application security. +type: troubleshooting +page_title: Implementing Content Security Policy (CSP) with Telerik UI for ASP.NET AJAX Components +slug: content-security-policy-telerik-ui-aspnet-ajax +tags: content security policy, csp, asp.net ajax, unsafe-inline, unsafe-eval +res_type: kb +ticketid: 1660059 +--- + +## Environment + +| Product | Telerik UI for ASP.NET AJAX | +| --- | --- | +| Version | Current | + +## Description + +When integrating Telerik UI for ASP.NET AJAX into web applications with a Content Security Policy (CSP), it's necessary to include 'unsafe-inline' and 'unsafe-eval' directives. This requirement stems from the Microsoft AJAX client-side library used by ASP.NET Web Forms, which relies on functions like `setTimeout()`, `setInterval()`, inline scripts, and `eval()`. + +## Cause + +The ASP.NET Web Forms framework and, by extension, Telerik UI for ASP.NET AJAX depend on the Microsoft AJAX client-side library. This library uses `eval()` and inline scripts extensively, making it incompatible with a strict CSP that excludes 'unsafe-inline' and 'unsafe-eval' directives. + +## Solution + +As Microsoft's [Content Security Vulnerability in ASP.NET(WebForms)](https://techcommunity.microsoft.com/t5/iis-support-blog/content-security-vulnerability-in-asp-net-webforms/ba-p/3951304) blog post advices to ensure the proper functioning of your ASP.NET Web Forms application, you should include the following minimal CSP configuration: + +```html + +``` + +For applications using Telerik UI for ASP.NET AJAX with CDN over HTTPS, use this extended CSP configuration: + +```html + +``` + +## Suggested Workarounds + +For projects where strict CSP compliance is a priority, consider migrating to Telerik UI for ASP.NET MVC or Telerik UI for ASP.NET Core. These products have enhanced CSP support: + +- As of the R1 2023 release, 'unsafe-eval' is no longer required. +- Starting with the R3 2023 release, 'unsafe-inline' in the "style-src" directive won't be necessary, except for specific components like the Editor, ResponsivePanel, GridLayout, and StackLayout. + +## Notes + +Due to the reliance on the Microsoft AJAX framework, achieving full CSP compliance without 'unsafe-inline' and 'unsafe-eval' is challenging for ASP.NET Web Forms applications. Microsoft's focus has shifted towards ASP.NET MVC and Core, emphasizing the need for modernization and security compliance in web development. + +## See Also + +- [Content Security Vulnerability in ASP.NET(WebForms)](https://techcommunity.microsoft.com/t5/iis-support-blog/content-security-vulnerability-in-asp-net-webforms/ba-p/3951304) +- [Working with Telerik UI for ASP.NET AJAX and Content Security Policy](https://docs.telerik.com/devtools/aspnet-ajax/getting-started/work-with-controls/content-security-policy) +- [Content Security Policy Support in Telerik UI for ASP.NET MVC](https://docs.telerik.com/aspnet-mvc/html-helpers/helper-basics/content-security-policy) +- [Content Security Policy Support in Telerik UI for ASP.NET Core](https://docs.telerik.com/aspnet-core/html-helpers/helper-basics/content-security-policy)