Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JENKINS-74010] Extract JavaScript block in BlueOceanUI/index.jelly #2587

Merged
merged 2 commits into from
Nov 20, 2024
Merged

[JENKINS-74010] Extract JavaScript block in BlueOceanUI/index.jelly #2587

merged 2 commits into from
Nov 20, 2024

Conversation

basil
Copy link
Member

@basil basil commented Nov 19, 2024
edited
Loading

Context

See JENKINS-74010.

Problem

blueocean-plugin/blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly

Lines 71 to 75 in be4d0c9

<script>
window.isDevelopmentMode = ${it.developmentMode};
function lb(c,t){setTimeout(function(){document.getElementById('loadbar').classList.add(c)},t)}
lb('go',10);lb('long',1000);lb('longer',6000);
</script>

Solution

https://www.jenkins.io/doc/developer/security/csp/#inline-javascript-blocks

Testing done

Tested together with #2588 and

diff --git a/blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly b/blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly
index dc61f3c0d..3d75385e7 100644
--- a/blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly
+++ b/blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly
@@ -1,6 +1,7 @@
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:x="jelly:xml">
     <st:contentType value="text/html;charset=UTF-8"/>
+    <st:header name="Content-Security-Policy" value="default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: ; script-src 'self' 'unsafe-eval' 'report-sample' usage.jenkins.io" />
 
     <!-- Add HTTP headers from extensions. See BluePageDecorator.java -->
     <j:forEach var="pd" items="${it.pageDecorators}">

Note that the above contains unsafe-eval to avoid exposing 74883.

Confirmed that after the header was added but before this PR and #2588, Blue Ocean blew up with a CSP violation. Confirmed that after the header was added and after this PR and #2588, Blue Ocean loaded correctly.

Submitter checklist

  • Link to JIRA ticket in description, if appropriate.
  • Change is code complete and matches issue description
  • Appropriate unit or acceptance tests or explanation to why this change has no tests
  • Reviewer's manual test instructions provided in PR description. See Reviewer's first task below.

Reviewer checklist

  • Run the changes and verified the change matches the issue description
  • Reviewed the code
  • Verified that the appropriate tests have been written or valid explanation given

@basil basil added the internal label Nov 19, 2024
This was referenced Nov 19, 2024
Merged
Open
@basil basil marked this pull request as ready for review November 19, 2024 22:57
@basil basil requested a review from a team as a code owner November 19, 2024 22:57
@basil basil requested a review from olamy November 20, 2024 11:41
@olamy olamy merged commit dc84be9 into jenkinsci:master Nov 20, 2024
17 checks passed
@basil basil deleted the JENKINS-74010 branch November 20, 2024 22:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yaroslavafenkin yaroslavafenkin yaroslavafenkin approved these changes

@olamy olamy Awaiting requested review from olamy

Assignees
No one assigned
Labels
internal
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@basil @yaroslavafenkin @olamy