As a security fix, hudson.model.Api no longer permits the jsonp parameter, or xpath with a primitive result set. This is the safest policy but in certain cases it is useful to whitelist particular requesters known to be harmless. The INSECURE system property should be deprecated or deleted and an extension point introduced so various policies can be added by plugins: whitelists based on host name, requests with no Referer, etc.

          [JENKINS-16936] Extension point for secure users of Api

          Jesse Glick created issue -
          Jesse Glick made changes -
          Link New: This issue is blocking SECURITY-47 [ SECURITY-47 ]
          Ryan Campbell made changes -
          Assignee New: Ryan Campbell [ recampbell ]
          Jesse Glick made changes -
          Labels Original: security New: 1.480.4-candidate security
          Jesse Glick made changes -
          Link New: This issue is related to JENKINS-17005 [ JENKINS-17005 ]
          Jesse Glick made changes -
          Labels Original: 1.480.4-candidate security New: lts-candidate security
          Jesse Glick made changes -
          Assignee Original: Ryan Campbell [ recampbell ] New: Jesse Glick [ jglick ]
          Jesse Glick made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          SCM/JIRA link daemon made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: In Progress [ 3 ] New: Resolved [ 5 ]
          Oliver Gondža made changes -
          Labels Original: lts-candidate security New: 1.532.2-fixed security
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 147766 ] New: JNJira + In-Review [ 192574 ]

            jglick Jesse Glick
            jglick Jesse Glick
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: