Skip to content

Make JS and CSS URLs work when Jenkins 2.539+ enforce CSP protections #281

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
daniel-beck wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Make JS and CSS URLs work when Jenkins 2.539+ enforce CSP protections #281

daniel-beck wants to merge 3 commits into from

Conversation

@daniel-beck
Copy link
Member

@daniel-beck daniel-beck commented Nov 25, 2025
edited
Loading

This allows loading admin-specified JS and CSS URLs from anywhere by allowing the specific configured URLs for the respective kind of element.

Resolves #280.

Testing done

Interactively played with it, URLs loaded, log output and header values are as expected.

A known limitation of this is is that any transitive inclusions in the specified files would not be allowed, as well as any other *-src required to work. Examples:

  • The included JS cannot do eval, that would still require 'unsafe-eval'.
  • The included CSS cannot do url(…) for a bunch of CSS directives (unless they point back to 'self' I guess).

There's always CSP plugin to allow your directives through configuration. And of course, writing a custom theme plugin is also doable. But this should take care of the folks who have fairly modest theming needs.

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests that demonstrate the feature works or the issue is fixed

@daniel-beck daniel-beck changed the title Make JS URLs work with CSP Make JS and CSS URLs work with CSP Dec 5, 2025
@daniel-beck daniel-beck changed the title Make JS and CSS URLs work with CSP Make JS and CSS URLs work when Jenkins 2.539+ enforce CSP protections Dec 5, 2025
@daniel-beck daniel-beck marked this pull request as ready for review December 5, 2025 19:25
@daniel-beck daniel-beck requested a review from a team as a code owner December 5, 2025 19:25
@daniel-beck daniel-beck mentioned this pull request Dec 9, 2025
Open
@TobiX TobiX self-assigned this Jan 14, 2026
@daniel-beck
Copy link
Member Author

daniel-beck commented Jan 22, 2026

Another limitation is that if the resource files are hosted in /userContent, this will not work with Resource Root URL enabled (since the URLs serving the content are on a different domain). jenkinsci/jenkins#26164 tracks this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@TobiX TobiX

Labels

enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Make JsUrlThemeElement and CssUrlThemeElement work with CSP in Jenkins 2.539+

2 participants

@daniel-beck @TobiX