-
Type:
Task
-
Resolution: Fixed
-
Priority:
Minor
-
Component/s: build-monitor-plugin
-
1.14-947.vfec2cf655fe2
Problems
== Inline Script Block
Line: 61
----
<script>
window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;
ga('create', 'UA-61694827-4', 'auto', {
'userId': '${it.installation.anonymousCorrelationId()}',
'sampleRate': 1
});
ga('set', {
'forceSSL': true,
'appName': 'Build Monitor',
'appId': 'build-monitor-plugin',
'appVersion': '${it.installation.buildMonitorVersion()}',
'appInstallerId': '${h.version}',
'dimension1': '${it.installation.size()}',
'dimension2': '${it.items.size()}',
'dimension3': '${it.installation.audience()}',
'dimension4': '${it.installation.anonymousCorrelationId()}'
});
ga('send', 'screenview', {screenName: 'Dashboard'});
</script>
----
== Inline Script Block
Line: 134
----
<script>
/*
* todo: (13.08.2013) Replace the below workaround with a custom Jelly tag (ExposeBindTag)
* extending either org.kohsuke.stapler.jelly.BindTag or AbstractStaplerTag,
* that would supersede currently defective BindTag implementation:
* - https://groups.google.com/forum/#!topic/jenkinsci-dev/S9bhX4ts0g4
* - https://issues.jenkins-ci.org/browse/JENKINS-18641
*
* Defect in BindTag manifests itself by causing a JavaScript error and preventing scripts after
* the <st:bind> invocation from executing, which results in an "empty Build Monitor".
* The issue occurs on Jenkins 1.521-1.526, only if the jQuery plugin is used.
*
* Motivation behind a custom Jelly tag:
* Original implementation of the BindTag doesn't provide an easy way of handling AJAX errors,
* which may happen if a network connection is lost or when Jenkins is restarted (which then makes
* Stapler's binding hash obsolete and Jenkins return 404 for any subsequent requests).
*
* Custom Jelly tag should generate a JSON object exposing the binding, leaving the implementation
* of the proxy to the Developer. It makes more sense for a developer to require a binding adapter
* implementation specific to their JavaScript framework of choice, rather than for Stapler to try
* to predict what JavaScript libraries will ever be used with it in the future...
*/
window.originalMakeStaplerProxy = window.makeStaplerProxy;
window.makeStaplerProxy = function(url, crumb, methods) {
return { url: url, crumb: crumb, methods: methods }
};
window.bindings={};
</script>
----
== Inline Script Block
Line: 163
----
<script>
window.bindings['buildMonitor'] = buildMonitorBind
window.makeStaplerProxy = window.originalMakeStaplerProxy;
try {
delete window.originalMakeStaplerProxy;
} catch(e) {
window["originalMakeStaplerProxy"] = undefined;
}
</script>
----
== Inline Script Block
Line: 186
----
<script>
'use strict';
angular.
module('buildMonitor').
constant('BUILD_MONITOR_VERSION', '${it.installation.buildMonitorVersion()}').
constant('CSRF_CRUMB_FIELD_NAME', '${it.csrfCrumbFieldName}').
config(function(proxyProvider, cookieJarProvider, hashCodeProvider) {
var hashCodeOf = hashCodeProvider.hashCodeOf;
proxyProvider.configureProxiesUsing(window.bindings);
cookieJarProvider.describe({
label: 'buildMonitor.' + hashCodeOf(document.body.dataset.displayName),
shelfLife: 365
});
});
</script>
----
Solution
https://www.jenkins.io/doc/developer/security/csp/#inline-javascript-blocks
