As a security fix, hudson.model.Api no longer permits the jsonp parameter, or xpath with a primitive result set. This is the safest policy but in certain cases it is useful to whitelist particular requesters known to be harmless. The INSECURE system property should be deprecated or deleted and an extension point introduced so various policies can be added by plugins: whitelists based on host name, requests with no Referer, etc.

          [JENKINS-16936] Extension point for secure users of Api

          Jesse Glick created issue -
          Jesse Glick made changes -
          Link New: This issue is blocking SECURITY-47 [ SECURITY-47 ]
          Ryan Campbell made changes -
          Assignee New: Ryan Campbell [ recampbell ]
          Jesse Glick made changes -
          Labels Original: security New: 1.480.4-candidate security
          Jesse Glick made changes -
          Link New: This issue is related to JENKINS-17005 [ JENKINS-17005 ]

          Lance Wicks added a comment -

          Will this be implemented via the gui interface?

          Lance Wicks added a comment - Will this be implemented via the gui interface?

          Jesse Glick added a comment -

          It would be up to the plugin implementing the extension point whether to offer a UI interface for customizing its behavior, and if so, what the customizations would consist of.

          Jesse Glick added a comment - It would be up to the plugin implementing the extension point whether to offer a UI interface for customizing its behavior, and if so, what the customizations would consist of.
          Jesse Glick made changes -
          Labels Original: 1.480.4-candidate security New: lts-candidate security
          Jesse Glick made changes -
          Assignee Original: Ryan Campbell [ recampbell ] New: Jesse Glick [ jglick ]
          Jesse Glick made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]

            jglick Jesse Glick
            jglick Jesse Glick
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: