or
0 answers
60 views
Hi all,
due to my age (hmm, it sounded like a good excuse at least) I've been clawing myself to the WebForms paradigm for far too long and have decided to take the leap to the ASP.NET MVC (Core and Blazor would be fun, but unfortunately many of the hosting services I have to work with don't support it yet).
One question that struck me though is regarding security and authentication?
How do one make sure that the calls for instance the .Read, .Update or .Destroy on the Kendo UI Grid is only accessible if a user is logged on?
1 answer
123 views
A security scan caught security vulnerabilities on several javascript files included with ASP.NET MVC version 2021.3.1109:
[1] kendo 2021.3.1109 kendo.dataviz.map.min.js
"The application's tileTitle:this._tileTitle}},wrapIndex:function embeds untrusted data in the generated output with location, at line 26"
[2] kendo 2021.3.1109 kendo.data.min.js
"The application's e},destroyed:function embeds untrusted data in the generated output with wrapAll, at line 26"
[3] kendo 2021.3.1109 kendo.aspnetmvc.min.js
"The application's !function embeds untrusted data in the generated output with href, at line 25"
[4] kendo 2021.3.1109 kendo.mobile.min.js
"The application's r.rightElement=n embeds untrusted data in the generated output with inArray, at line 35"
Can I safely exclude these files from my project?
Thanks.
1 answer
98 views
Hello,
We are using the Content-Security-Policy in our ASP.NET MVC application and also using the Kendo UI controls.
Here are the details of the Content-Security-Policy:
<customHeaders>
<add name="Content-Security-Policy" value="default-src https:;
object-src 'none';
script-src 'self' 'unsafe-eval' 'nonce-03148CFC65E74341814490514E0CEDD8';
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
img-src 'self' data:;
font-src 'self' https://fonts.gstatic.com;
connect-src 'self' https://api.zoomcharts-cloud.com;
form-action 'self';"></add>
</customHeaders>The application is running as expected until we remove the "unsafe-eval" from the "script-src" and the web page is throwing the below error:
Note:
- We have gone through instructions given in https://docs.telerik.com/aspnet-mvc/troubleshoot/troubleshooting-content-security-policy
- Here is the link of the sample application https://drive.google.com/file/d/1-wIb0dLE6UhUQc9gsjFYWTGBaPRjAcWG/view?usp=sharing
Please help us out.
Thanks & Regards
Raju Chauhan
