Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-74067

[build-monitor-plugin] Extract inline script blocks in com/smartcodeltd/jenkinsci/plugins/buildmonitor/BuildMonitorView/index.jelly

    • 1.14-947.vfec2cf655fe2

      Problems

      == Inline Script Block
      Line: 61
      ----
      <script>
                          window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;
      
                          ga('create', 'UA-61694827-4', 'auto', {
                              'userId':     '${it.installation.anonymousCorrelationId()}',
                              'sampleRate': 1
                          });
      
                          ga('set', {
                              'forceSSL':       true,
                              'appName':        'Build Monitor',
                              'appId':          'build-monitor-plugin',
      
                              'appVersion':     '${it.installation.buildMonitorVersion()}',
                              'appInstallerId': '${h.version}',
      
                              'dimension1':     '${it.installation.size()}',
                              'dimension2':     '${it.items.size()}',
                              'dimension3':     '${it.installation.audience()}',
                              'dimension4':     '${it.installation.anonymousCorrelationId()}'
                          });
      
                          ga('send', 'screenview', {screenName: 'Dashboard'});
                      </script>
      ----
      
      == Inline Script Block
      Line: 134
      ----
      <script>
                      /*
                       * todo: (13.08.2013) Replace the below workaround with a custom Jelly tag (ExposeBindTag)
                       *   extending either org.kohsuke.stapler.jelly.BindTag or AbstractStaplerTag,
                       *   that would supersede currently defective BindTag implementation:
                       *   - https://groups.google.com/forum/#!topic/jenkinsci-dev/S9bhX4ts0g4
                       *   - https://issues.jenkins-ci.org/browse/JENKINS-18641
                       *
                       *   Defect in BindTag manifests itself by causing a JavaScript error and preventing scripts after
                       *   the &lt;st:bind&gt; invocation from executing, which results in an "empty Build Monitor".
                       *   The issue occurs on Jenkins 1.521-1.526, only if the jQuery plugin is used.
                       *
                       * Motivation behind a custom Jelly tag:
                       *   Original implementation of the BindTag doesn't provide an easy way of handling AJAX errors,
                       *   which may happen if a network connection is lost or when Jenkins is restarted (which then makes
                       *   Stapler's binding hash obsolete and Jenkins return 404 for any subsequent requests).
                       *
                       *   Custom Jelly tag should generate a JSON object exposing the binding, leaving the implementation
                       *   of the proxy to the Developer. It makes more sense for a developer to require a binding adapter
                       *   implementation specific to their JavaScript framework of choice, rather than for Stapler to try
                       *   to predict what JavaScript libraries will ever be used with it in the future...
                       */
                      window.originalMakeStaplerProxy = window.makeStaplerProxy;
                      window.makeStaplerProxy = function(url, crumb, methods) {
                          return { url: url, crumb: crumb, methods: methods }
                      };
                      window.bindings={};
                  </script>
      ----
      
      == Inline Script Block
      Line: 163
      ----
      <script>
                      window.bindings['buildMonitor'] = buildMonitorBind
                      window.makeStaplerProxy = window.originalMakeStaplerProxy;
                      try {
                          delete window.originalMakeStaplerProxy;
                      } catch(e) {
                          window["originalMakeStaplerProxy"] = undefined;
                      }
                  </script>
      ----
      
      == Inline Script Block
      Line: 186
      ----
      <script>
                      'use strict';
      
                      angular.
      
                          module('buildMonitor').
      
                          constant('BUILD_MONITOR_VERSION', '${it.installation.buildMonitorVersion()}').
                          constant('CSRF_CRUMB_FIELD_NAME', '${it.csrfCrumbFieldName}').
      
                          config(function(proxyProvider, cookieJarProvider, hashCodeProvider) {
                              var hashCodeOf = hashCodeProvider.hashCodeOf;
      
                              proxyProvider.configureProxiesUsing(window.bindings);
      
                              cookieJarProvider.describe({
                                  label:     'buildMonitor.' + hashCodeOf(document.body.dataset.displayName),
                                  shelfLife: 365
                              });
                          });
                  </script>
      ----
      

      Solution

      https://www.jenkins.io/doc/developer/security/csp/#inline-javascript-blocks

          [JENKINS-74067] [build-monitor-plugin] Extract inline script blocks in com/smartcodeltd/jenkinsci/plugins/buildmonitor/BuildMonitorView/index.jelly

          Basil Crow created issue -
          Basil Crow made changes -
          Description Original: h4. Problems

          {noformat}
          == Inline Script Block
          Line: 61
          ----
          <script>
                              window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;

                              ga('create', 'UA-61694827-4', 'auto', {
                                  'userId': '${it.installation.anonymousCorrelationId()}',
                                  'sampleRate': 1
                              });

                              ga('set', {
                                  'forceSSL': true,
                                  'appName': 'Build Monitor',
                                  'appId': 'build-monitor-plugin',

                                  'appVersion': '${it.installation.buildMonitorVersion()}',
                                  'appInstallerId': '${h.version}',

                                  'dimension1': '${it.installation.size()}',
                                  'dimension2': '${it.items.size()}',
                                  'dimension3': '${it.installation.audience()}',
                                  'dimension4': '${it.installation.anonymousCorrelationId()}'
                              });

                              ga('send', 'screenview', {screenName: 'Dashboard'});
                          </script>
          ----

          == Inline Script Block
          Line: 134
          ----
          <script>
                          /*
                           * todo: (13.08.2013) Replace the below workaround with a custom Jelly tag (ExposeBindTag)
                           * extending either org.kohsuke.stapler.jelly.BindTag or AbstractStaplerTag,
                           * that would supersede currently defective BindTag implementation:
                           * - https://groups.google.com/forum/#!topic/jenkinsci-dev/S9bhX4ts0g4
                           * - https://issues.jenkins-ci.org/browse/JENKINS-18641
                           *
                           * Defect in BindTag manifests itself by causing a JavaScript error and preventing scripts after
                           * the &lt;st:bind&gt; invocation from executing, which results in an "empty Build Monitor".
                           * The issue occurs on Jenkins 1.521-1.526, only if the jQuery plugin is used.
                           *
                           * Motivation behind a custom Jelly tag:
                           * Original implementation of the BindTag doesn't provide an easy way of handling AJAX errors,
                           * which may happen if a network connection is lost or when Jenkins is restarted (which then makes
                           * Stapler's binding hash obsolete and Jenkins return 404 for any subsequent requests).
                           *
                           * Custom Jelly tag should generate a JSON object exposing the binding, leaving the implementation
                           * of the proxy to the Developer. It makes more sense for a developer to require a binding adapter
                           * implementation specific to their JavaScript framework of choice, rather than for Stapler to try
                           * to predict what JavaScript libraries will ever be used with it in the future...
                           */
                          window.originalMakeStaplerProxy = window.makeStaplerProxy;
                          window.makeStaplerProxy = function(url, crumb, methods) {
                              return { url: url, crumb: crumb, methods: methods }
                          };
                          window.bindings={};
                      </script>
          ----

          == Inline Script Block
          Line: 163
          ----
          <script>
                          window.bindings['buildMonitor'] = buildMonitorBind
                          window.makeStaplerProxy = window.originalMakeStaplerProxy;
                          try {
                              delete window.originalMakeStaplerProxy;
                          } catch(e) {
                              window["originalMakeStaplerProxy"] = undefined;
                          }
                      </script>
          ----

          == Inline Script Block
          Line: 186
          ----
          <script>
                          'use strict';

                          angular.

                              module('buildMonitor').

                              constant('BUILD_MONITOR_VERSION', '${it.installation.buildMonitorVersion()}').
                              constant('CSRF_CRUMB_FIELD_NAME', '${it.csrfCrumbFieldName}').

                              config(function(proxyProvider, cookieJarProvider, hashCodeProvider) {
                                  var hashCodeOf = hashCodeProvider.hashCodeOf;

                                  proxyProvider.configureProxiesUsing(window.bindings);

                                  cookieJarProvider.describe({
                                      label: 'buildMonitor.' + hashCodeOf(document.body.dataset.displayName),
                                      shelfLife: 365
                                  });
                              });
                      </script>
          ----

          == Inline Script Block
          Line: 61
          ----
          <script>
                              window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;

                              ga('create', 'UA-61694827-4', 'auto', {
                                  'userId': '${it.installation.anonymousCorrelationId()}',
                                  'sampleRate': 1
                              });

                              ga('set', {
                                  'forceSSL': true,
                                  'appName': 'Build Monitor',
                                  'appId': 'build-monitor-plugin',

                                  'appVersion': '${it.installation.buildMonitorVersion()}',
                                  'appInstallerId': '${h.version}',

                                  'dimension1': '${it.installation.size()}',
                                  'dimension2': '${it.items.size()}',
                                  'dimension3': '${it.installation.audience()}',
                                  'dimension4': '${it.installation.anonymousCorrelationId()}'
                              });

                              ga('send', 'screenview', {screenName: 'Dashboard'});
                          </script>
          ----

          == Inline Script Block
          Line: 134
          ----
          <script>
                          /*
                           * todo: (13.08.2013) Replace the below workaround with a custom Jelly tag (ExposeBindTag)
                           * extending either org.kohsuke.stapler.jelly.BindTag or AbstractStaplerTag,
                           * that would supersede currently defective BindTag implementation:
                           * - https://groups.google.com/forum/#!topic/jenkinsci-dev/S9bhX4ts0g4
                           * - https://issues.jenkins-ci.org/browse/JENKINS-18641
                           *
                           * Defect in BindTag manifests itself by causing a JavaScript error and preventing scripts after
                           * the &lt;st:bind&gt; invocation from executing, which results in an "empty Build Monitor".
                           * The issue occurs on Jenkins 1.521-1.526, only if the jQuery plugin is used.
                           *
                           * Motivation behind a custom Jelly tag:
                           * Original implementation of the BindTag doesn't provide an easy way of handling AJAX errors,
                           * which may happen if a network connection is lost or when Jenkins is restarted (which then makes
                           * Stapler's binding hash obsolete and Jenkins return 404 for any subsequent requests).
                           *
                           * Custom Jelly tag should generate a JSON object exposing the binding, leaving the implementation
                           * of the proxy to the Developer. It makes more sense for a developer to require a binding adapter
                           * implementation specific to their JavaScript framework of choice, rather than for Stapler to try
                           * to predict what JavaScript libraries will ever be used with it in the future...
                           */
                          window.originalMakeStaplerProxy = window.makeStaplerProxy;
                          window.makeStaplerProxy = function(url, crumb, methods) {
                              return { url: url, crumb: crumb, methods: methods }
                          };
                          window.bindings={};
                      </script>
          ----

          == Inline Script Block
          Line: 163
          ----
          <script>
                          window.bindings['buildMonitor'] = buildMonitorBind
                          window.makeStaplerProxy = window.originalMakeStaplerProxy;
                          try {
                              delete window.originalMakeStaplerProxy;
                          } catch(e) {
                              window["originalMakeStaplerProxy"] = undefined;
                          }
                      </script>
          ----

          == Inline Script Block
          Line: 186
          ----
          <script>
                          'use strict';

                          angular.

                              module('buildMonitor').

                              constant('BUILD_MONITOR_VERSION', '${it.installation.buildMonitorVersion()}').
                              constant('CSRF_CRUMB_FIELD_NAME', '${it.csrfCrumbFieldName}').

                              config(function(proxyProvider, cookieJarProvider, hashCodeProvider) {
                                  var hashCodeOf = hashCodeProvider.hashCodeOf;

                                  proxyProvider.configureProxiesUsing(window.bindings);

                                  cookieJarProvider.describe({
                                      label: 'buildMonitor.' + hashCodeOf(document.body.dataset.displayName),
                                      shelfLife: 365
                                  });
                              });
                      </script>
          ----
          {noformat}

          h4. Solution

          [https://www.jenkins.io/doc/developer/security/csp/#inline-javascript-blocks]
          New: h4. Problems

          {noformat}
          == Inline Script Block
          Line: 61
          ----
          <script>
                              window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;

                              ga('create', 'UA-61694827-4', 'auto', {
                                  'userId': '${it.installation.anonymousCorrelationId()}',
                                  'sampleRate': 1
                              });

                              ga('set', {
                                  'forceSSL': true,
                                  'appName': 'Build Monitor',
                                  'appId': 'build-monitor-plugin',

                                  'appVersion': '${it.installation.buildMonitorVersion()}',
                                  'appInstallerId': '${h.version}',

                                  'dimension1': '${it.installation.size()}',
                                  'dimension2': '${it.items.size()}',
                                  'dimension3': '${it.installation.audience()}',
                                  'dimension4': '${it.installation.anonymousCorrelationId()}'
                              });

                              ga('send', 'screenview', {screenName: 'Dashboard'});
                          </script>
          ----

          == Inline Script Block
          Line: 134
          ----
          <script>
                          /*
                           * todo: (13.08.2013) Replace the below workaround with a custom Jelly tag (ExposeBindTag)
                           * extending either org.kohsuke.stapler.jelly.BindTag or AbstractStaplerTag,
                           * that would supersede currently defective BindTag implementation:
                           * - https://groups.google.com/forum/#!topic/jenkinsci-dev/S9bhX4ts0g4
                           * - https://issues.jenkins-ci.org/browse/JENKINS-18641
                           *
                           * Defect in BindTag manifests itself by causing a JavaScript error and preventing scripts after
                           * the &lt;st:bind&gt; invocation from executing, which results in an "empty Build Monitor".
                           * The issue occurs on Jenkins 1.521-1.526, only if the jQuery plugin is used.
                           *
                           * Motivation behind a custom Jelly tag:
                           * Original implementation of the BindTag doesn't provide an easy way of handling AJAX errors,
                           * which may happen if a network connection is lost or when Jenkins is restarted (which then makes
                           * Stapler's binding hash obsolete and Jenkins return 404 for any subsequent requests).
                           *
                           * Custom Jelly tag should generate a JSON object exposing the binding, leaving the implementation
                           * of the proxy to the Developer. It makes more sense for a developer to require a binding adapter
                           * implementation specific to their JavaScript framework of choice, rather than for Stapler to try
                           * to predict what JavaScript libraries will ever be used with it in the future...
                           */
                          window.originalMakeStaplerProxy = window.makeStaplerProxy;
                          window.makeStaplerProxy = function(url, crumb, methods) {
                              return { url: url, crumb: crumb, methods: methods }
                          };
                          window.bindings={};
                      </script>
          ----

          == Inline Script Block
          Line: 163
          ----
          <script>
                          window.bindings['buildMonitor'] = buildMonitorBind
                          window.makeStaplerProxy = window.originalMakeStaplerProxy;
                          try {
                              delete window.originalMakeStaplerProxy;
                          } catch(e) {
                              window["originalMakeStaplerProxy"] = undefined;
                          }
                      </script>
          ----

          == Inline Script Block
          Line: 186
          ----
          <script>
                          'use strict';

                          angular.

                              module('buildMonitor').

                              constant('BUILD_MONITOR_VERSION', '${it.installation.buildMonitorVersion()}').
                              constant('CSRF_CRUMB_FIELD_NAME', '${it.csrfCrumbFieldName}').

                              config(function(proxyProvider, cookieJarProvider, hashCodeProvider) {
                                  var hashCodeOf = hashCodeProvider.hashCodeOf;

                                  proxyProvider.configureProxiesUsing(window.bindings);

                                  cookieJarProvider.describe({
                                      label: 'buildMonitor.' + hashCodeOf(document.body.dataset.displayName),
                                      shelfLife: 365
                                  });
                              });
                      </script>
          ----
          {noformat}

          h4. Solution

          [https://www.jenkins.io/doc/developer/security/csp/#inline-javascript-blocks]
          Yaroslav Afenkin made changes -
          Assignee New: Yaroslav Afenkin [ yafenkin ]
          Yaroslav Afenkin made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Yaroslav Afenkin made changes -
          Remote Link New: This issue links to "jenkinsci/build-monitor-plugin/pull/1034 (Web Link)" [ 30201 ]
          Yaroslav Afenkin made changes -
          Status Original: In Progress [ 3 ] New: In Review [ 10005 ]

          Basil Crow added a comment -

          Basil Crow added a comment - Fixed in jenkinsci/build-monitor-plugin#1034 . Released in 1.14-947.vfec2cf655fe2 .
          Basil Crow made changes -
          Released As New: 1.14-947.vfec2cf655fe2
          Resolution New: Fixed [ 1 ]
          Status Original: In Review [ 10005 ] New: Closed [ 6 ]

            yafenkin Yaroslav Afenkin
            basil Basil Crow
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: