Skip to content

[JENKINS-74745] Make ?link attribute work when CSP is enforced #458

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MarkEWaite merged 1 commit into from
Dec 12, 2025
Merged

[JENKINS-74745] Make ?link attribute work when CSP is enforced #458

MarkEWaite merged 1 commit into from
Dec 12, 2025

Conversation

@daniel-beck
Copy link
Member

@daniel-beck daniel-beck commented Dec 9, 2025

JENKINS-74745

This removes the inline JS in favor of an a link. This link works even when Jenkins 2.539+ enforces Content Security Policy, prohibiting inline scripts.

#457 discusses problems with the feature as it currently exists, so it's not clear to me what the supported use cases are. If the use case is indeed showing the image in an iframe, this PR will not help, unless administrators use https://plugins.jenkins.io/csp/ to relax the frame-ancestors directive (which is still better than having to allow script-src 'unsafe-inline' though).

Testing done

Accessed the image URL directly. With valid ?link value, click opens new tab. Without, no link. With and without CSP enforcement.

In an iframe, without CSP enforcing frame-ancestors, it also works.

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests that demonstrate the feature works or the issue is fixed

@daniel-beck daniel-beck requested a review from a team as a code owner December 9, 2025 11:26
@MarkEWaite MarkEWaite added the bug Incorrect or flawed behavior label Dec 9, 2025
MarkEWaite
MarkEWaite approved these changes Dec 12, 2025
View reviewed changes
Copy link
Contributor

@MarkEWaite MarkEWaite left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@MarkEWaite MarkEWaite merged commit d878e68 into jenkinsci:master Dec 12, 2025
18 checks passed
@daniel-beck daniel-beck deleted the JENKINS-74745 branch December 12, 2025 19:29
@MarkEWaite MarkEWaite linked an issue Dec 12, 2025 that may be closed by this pull request
[JENKINS-74745] [embeddable-build-status] Extract inline event handler in StatusImage #512
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MarkEWaite MarkEWaite MarkEWaite approved these changes

Assignees

No one assigned

Labels

bug Incorrect or flawed behavior

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[JENKINS-74745] [embeddable-build-status] Extract inline event handler in StatusImage

2 participants

@daniel-beck @MarkEWaite