Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-71513

[core] CSP compatibility: eval call in hudson-behaviour.js (renderOnDemand)

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • 2.447

        [JENKINS-71513] [core] CSP compatibility: eval call in hudson-behaviour.js (renderOnDemand)

        This is a part of Stapler, so addressing this does not seem straightforward to me.

        See:

        At glance it might be possible to not build the makeStaplerProxy(...) call as string, but to assign separate attributes to an element, and then call makeStaplerProxy in JS in core instead of eval("makeStaplerProxy(...)"), but it requires deeper investigation.

        Yaroslav Afenkin added a comment - This is a part of Stapler, so addressing this does not seem straightforward to me. See: https://github.com/jenkinsci/stapler/blob/7790f4fa2f5d027a71ea19a1327013a3b852e087/core/src/main/resources/org/kohsuke/stapler/bind.js#L5   https://github.com/jenkinsci/stapler/blob/7790f4fa2f5d027a71ea19a1327013a3b852e087/core/src/main/java/org/kohsuke/stapler/bind/Bound.java#L66 At glance it might be possible to not build the makeStaplerProxy(...) call as string, but to assign separate attributes to an element, and then call makeStaplerProxy in JS in core instead of eval("makeStaplerProxy(...)") , but it requires deeper investigation.

          danielbeck Daniel Beck
          yafenkin Yaroslav Afenkin
          Votes:
          0 Vote for this issue
          Watchers:
          1 Start watching this issue

            Created:
            Updated:
            Resolved: