Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JENKINS-74067] Extract inline JavaScript from BuildMonitorView/index.jelly #1034

Merged
merged 2 commits into from
Nov 13, 2024
Merged

[JENKINS-74067] Extract inline JavaScript from BuildMonitorView/index.jelly #1034

merged 2 commits into from
Nov 13, 2024

Conversation

yaroslavafenkin
Copy link
Contributor

https://issues.jenkins.io/browse/JENKINS-74067

Testing done

Content Security Policy does not catch the violations on pages without l:layout, so I'm not relying on it here. I've tried manually adding the header on top of the file by adding the following:

<st:setHeader name="Content-Security-Policy"
                  value="default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: ; script-src 'self' 'report-sample' usage.jenkins.io www.google-analytics.com api.github.com;"/>

Page obviously just falls apart with that header set because of inline scripts.
On the screen recording I'm demonstrating the replacement of makeStaplerProxy by the plugin (for whetaver reason it needs it, angularJS I guess), and showing plugin's basic behaviour like monitoring build statuses and showing build progress.

Before the fix

With the fix we're able to set the CSP rule as shown above and test with it. I've demonstrated that makeStaplerProxy is replaced in the same way as before the fix. And showing that all the build monitoring stuff still works with CSP header set.

After the fix

For Google Analytics script I've missed it when recording initially, so covered it separately:

Before the fix
After the fix

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

@yaroslavafenkin yaroslavafenkin requested a review from a team as a code owner November 12, 2024 17:30
@basil basil added the internal label Nov 13, 2024
basil
basil approved these changes Nov 13, 2024
View reviewed changes
Copy link
Member

@basil basil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@basil basil merged commit 0e937b4 into jenkinsci:master Nov 13, 2024
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@basil basil basil approved these changes

Assignees
No one assigned
Labels
internal
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@yaroslavafenkin @basil