Hi all,
due to my age (hmm, it sounded like a good excuse at least) I've been clawing myself to the WebForms paradigm for far too long and have decided to take the leap to the ASP.NET MVC (Core and Blazor would be fun, but unfortunately many of the hosting services I have to work with don't support it yet).
One question that struck me though is regarding security and authentication?
How do one make sure that the calls for instance the .Read, .Update or .Destroy on the Kendo UI Grid is only accessible if a user is logged on?
A security scan caught security vulnerabilities on several javascript files included with ASP.NET MVC version 2021.3.1109:
[1] kendo 2021.3.1109 kendo.dataviz.map.min.js
"The application's tileTitle:this._tileTitle}},wrapIndex:function embeds untrusted data in the generated output with location, at line 26"
[2] kendo 2021.3.1109 kendo.data.min.js
"The application's e},destroyed:function embeds untrusted data in the generated output with wrapAll, at line 26"
[3] kendo 2021.3.1109 kendo.aspnetmvc.min.js
"The application's !function embeds untrusted data in the generated output with href, at line 25"
[4] kendo 2021.3.1109 kendo.mobile.min.js
"The application's r.rightElement=n embeds untrusted data in the generated output with inArray, at line 35"
Can I safely exclude these files from my project?
Thanks.
Hello,
We are using the Content-Security-Policy in our ASP.NET MVC application and also using the Kendo UI controls.
Here are the details of the Content-Security-Policy:
<customHeaders>
<add name="Content-Security-Policy" value="default-src https:;
object-src 'none';
script-src 'self' 'unsafe-eval' 'nonce-03148CFC65E74341814490514E0CEDD8';
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
img-src 'self' data:;
font-src 'self' https://fonts.gstatic.com;
connect-src 'self' https://api.zoomcharts-cloud.com;
form-action 'self';"></add>
</customHeaders>
Note:
Please help us out.
Thanks & Regards
Raju Chauhan