Subresource Integrity (CDN)

Progress® Telerik® UI for ASP.NET AJAX Feedback Portal

Create an account Log In

Back to Feed

Request a Feature Report a Bug

Unplanned

Last Updated: 18 Jan 2024 12:41 by ADMIN

ADMIN

Rumen

Created on: 13 Dec 2018 16:45

Category: ScriptManager

Type: Feature Request

Subresource Integrity (CDN)

Subresource Integrity is a fairly new security scheme for protecting against malicious script obtained from third-party source (CDNs). It requires that the script tag include a hash of the script content so the browser can verify that it has not been altered.

Telerik controls generate a bunch of script tags for cloudfront.net. It would be swell if the script tags would include the extra attributes necessary to implement subresource integrity. Is this in the roadmap? 

Mozilla provides a security analysis tool which highlights this issue. Look at the results for telerik.com here -> https://observatory.mozilla.org/analyze/www.telerik.com. 

More info available on 
https://infosec.mozilla.org/guidelines/web_security#subresource-integrity
https://www.w3.org/TR/SRI/

10 comments

ADMIN

Rumen

Posted on: 18 Jan 2024 12:41

Hi John,

Thank you for bringing this to our attention. We want you to know that we have heard your concerns, and they have been escalated to our top management for serious consideration. While we work on a long-term solution, we suggest a couple of interim methods to manage the issue:

Utilize embedded resources in the Telerik.Web.UI.dll assembly
Set up a local CDN, as detailed in this instructional video: Local CDN Setup Guide.

We appreciate your patience and value your feedback as we strive to improve our services

Best Regards,
Rumen
Progress Telerik

Stay tuned by visiting our public roadmap and feedback portal pages! Or perhaps, if you are new to our Telerik family, check out our getting started resources!

John

Posted on: 18 Jan 2024 01:05

We have also been waiting for this for years. Every vulnerability scan and third party penetration test this gets flagged.

ADMIN

Rumen

Posted on: 15 Nov 2023 14:39

Thank you for your feature request, Roger!

As you've observed, RadScriptManager, which is based on asp:ScriptManager, currently does not provide the functionality to specify integrity attributes for externally referenced scripts directly. I logged a feature request on behalf of you so that our management can consider planning a task for implementing these missing properties to ease your work: Support for Subresource Integrity (SRI directive) in RadScriptManager.

Best Regards,
Rumen
Progress Telerik

Stay tuned by visiting our public roadmap and feedback portal pages! Or perhaps, if you are new to our Telerik family, check out our getting started resources!

Roger

Posted on: 15 Nov 2023 13:30

Sorry, I have recognized now that you were mentioning ScriptManager. But there is also your RadScriptManager version. You could provide these additional attributes, I guess?

Roger

Posted on: 15 Nov 2023 13:27

Thanks Rumen for your comment. Using the embedded script resources in the Telerik.Web.UI.dll is a solution for this specific use case with CDN.

But how to handle external resources, which are referenced from RadScriptManager? It does not seem to be possible to add this SRI directive to RadScriptReference. Sorry, it is not exactly the same topic, but closely related.

It would be annoying if I have to download corresponding JS files and copy them to all my ASP.NET projects.

Cheers,
Roger

ADMIN

Rumen

Posted on: 15 Nov 2023 12:08

Hi Roger and John,

Thank you for your opinion!

The feature is indeed important, but unfortunately, it is not an easy task to achieve in the realm of ASP.NET WebForms, because even the MS AJAX CDN scripts and the asp:ScriptManager do not support adding the integrity attribute.

The available options so far are:

Use the embedded script resources in the Telerik.Web.UI.dll
Configure the Telerik controls to use a local CDN server: Configure Local CDN for Telerik UI for ASP.NET AJAX. This approach would allow the scanning process to recognize that the resources are being served from your own domain, thereby eliminating the need for a hash.

Best Regards,
Rumen
Progress Telerik

Stay tuned by visiting our public roadmap and feedback portal pages! Or perhaps, if you are new to our Telerik family, check out our getting started resources!

Roger

Posted on: 15 Nov 2023 10:11

Security is getting more and more important, and SRI should be on the top of your priority list. Organizations are using security services scanning their external resources, and we are looking bad if the scores go down.

John

Posted on: 07 Oct 2019 18:35

I concur with Dan Ehrmann getting failing PCI scan if using CDN.

Title: Script Src Integrity Check

Synopsis: Report external script resources not using integrity.

Impact: The remote host may be vulnerable to payment entry data exfiltration due to javascript included from potentially untrusted and unverified third parties script src. If the host is controlled by a 3rd party, ensure that the 3rd party is PCI DSS compliant.

I am certain you guys could have your controls produce hash values which would save allot of users from having to either make exceptions and or concessions.

Thanks John

ADMIN

Marin Bratanov

Posted on: 02 Jan 2019 17:31

Thank you for your feedback, Dan. We will definitely keep this in mind. If this becomes commonly requested and popular, we will consider it for sure.

So far this is the first time that this is requested in a decade since we offer a CDN, however, so, for the time being, I can suggest you use a custom CDN on your own server: https://docs.telerik.com/devtools/aspnet-ajax/controls/scriptmanager/cdn-support/custom-cdn-provider. This should let the scan realize the resources are coming from your own domain and thus, not require the hash. The caching benefits are almost the same as with a cloud CDN. Of course, if you have users all over the globe, there will be a little more of a difference.

Regards,
Marin Bratanov

Dan Ehrmann

Posted on: 02 Jan 2019 16:48

FYI - our most recent PCI compliance scan flagged this as a fatal error. To resolve it, we have disabled the CDN on the ScriptManager. I think you will have a lot of customers faced with this problem in the near future.