[JENKINS-71520] [core] CSP compatibility: geval calls in hudson-behaviour.js

Type: Improvement
Resolution: Unresolved
Priority: Minor
Component/s: core
Labels:
- CSP

Similar Issues:
Powered by SuggestiMate

Show
Epic Link:
CSP compatibility for Jenkins core

geval calls in hudson-behavior.js

is related to

JENKINS-73974 [nodelabelparameter] Get plugins.NodeLabelParameterPluginTest passing in ATH in restrictive CSP mode

Closed

JENKINS-73949 [lockable-resources] Extract event handlers in LockableResourcesRootAction/tableResources/table.jelly

Closed

Basil Crow added a comment - 2024-10-16 23:59

The second of these failures can be reproduced very easily by creating a job with a Node Label parameter (or running NodeLabelParameterPluginTest in ATH).

Basil Crow added a comment - 2024-10-16 23:59 The second of these failures can be reproduced very easily by creating a job with a Node Label parameter (or running NodeLabelParameterPluginTest in ATH).

Yaroslav Afenkin added a comment - 2024-10-18 11:14

I've investigated the call inside evalInnerHtmlScripts while looking at https://issues.jenkins.io/browse/JENKINS-73974.

The purpose of the path that calls geval is to execute JavaScript inside inline script blocks for elements that are dynamically added to the page (e.g. via hetero list). The alternative is including scripts via st:adjunct or script tags with src attribute, both of which are CSP compatible. So for me it would be something that should be fixed in plugins, by getting rid of inline script blocks.

Nothing to be done in core on this (other than maybe a console.warn?), as that path will have to exist to preserve compatibility with plugins that have inline script blocks inside jelly files that can be dynamically rendered.

Yaroslav Afenkin added a comment - 2024-10-18 11:14 I've investigated the call inside evalInnerHtmlScripts while looking at https://issues.jenkins.io/browse/JENKINS-73974 . The purpose of the path that calls geval is to execute JavaScript inside inline script blocks for elements that are dynamically added to the page (e.g. via hetero list). The alternative is including scripts via st:adjunct or script tags with src attribute, both of which are CSP compatible. So for me it would be something that should be fixed in plugins, by getting rid of inline script blocks. Nothing to be done in core on this (other than maybe a console.warn ?), as that path will have to exist to preserve compatibility with plugins that have inline script blocks inside jelly files that can be dynamically rendered.

Basil Crow added a comment - 2024-10-18 19:46

Nothing to be done in core on this (other than maybe a console.warn?), as that path will have to exist to preserve compatibility with plugins that have inline script blocks inside jelly files that can be dynamically rendered.

Agreed. A warning might make the problem more obvious to someone debugging a CSP failure, which would be a nice developer quality of life improvement even if it has no impact on end users.

Basil Crow added a comment - 2024-10-18 19:46 Nothing to be done in core on this (other than maybe a console.warn?), as that path will have to exist to preserve compatibility with plugins that have inline script blocks inside jelly files that can be dynamically rendered. Agreed. A warning might make the problem more obvious to someone debugging a CSP failure, which would be a nice developer quality of life improvement even if it has no impact on end users.

Jenkins

Details

Description

Culprits

Proposal

Testing

Attachments

Issue Links

Activity

Collapse comment: Basil Crow added a comment - 2024-10-16 23:59

Expand comment: Basil Crow added a comment - 2024-10-16 23:59

Collapse comment: Yaroslav Afenkin added a comment - 2024-10-18 11:14

Expand comment: Yaroslav Afenkin added a comment - 2024-10-18 11:14

Collapse comment: Basil Crow added a comment - 2024-10-18 19:46

Expand comment: Basil Crow added a comment - 2024-10-18 19:46

People

Dates