Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JENKINS-74891] Extract inline JavaScript from EmailExtTemplateAction/index.groovy #569

Merged
merged 1 commit into from
Dec 5, 2024
Merged

[JENKINS-74891] Extract inline JavaScript from EmailExtTemplateAction/index.groovy #569

merged 1 commit into from
Dec 5, 2024

Conversation

yaroslavafenkin
Copy link
Contributor

https://issues.jenkins.io/browse/JENKINS-74891

There's still a problem with the mechanism that renders the template. It's rendered inside an iframe element. Default CSP header that's set by Content Security Policy does not define frame-src, hence default-src is used, which only allows 'self'. This means that data: src for iframe is not allowed, which prohibits templates from being rendered in restrictive mode. This is also be demonstrated on "After the change" video below.

Depending on how wanted this feature is it can either be fixed or deprecated with a notice that it doesn't work in CSP restrictive mode.
Alternatively CSP plugin could define frame-src policy that we'd consider safe (probably a question to @jenkinsci/core-security-review what sources would be safe). I have doubts that data: will make it into the list of safe sources.

Testing done

Before the change
After the change

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

@yaroslavafenkin yaroslavafenkin requested a review from a team as a code owner December 4, 2024 13:34
@slide
Copy link
Member

slide commented Dec 4, 2024

Could the iframe be replaced with an <object> tag? I am not a web developer by any means, but it looked from googling that it might be possible?

@slide
Copy link
Member

slide commented Dec 4, 2024

I did a quick check with using instead of <iframe> and I see a template rendered correctly, but it does not bypass the issue with CSP as it sets .data on the object tag similar to the src for the iframe. Is there a way to render HTML with CSP enforcement?

@yaroslavafenkin
Copy link
Contributor Author

I did a quick check with using instead of <iframe> and I see a template rendered correctly, but it does not bypass the issue with CSP as it sets .data on the object tag similar to the src for the iframe. Is there a way to render HTML with CSP enforcement?

I think setting a source for the iframe that falls under 'self' should be compliant. I.e. plugin would directly serve HTML file and set a link to the file as iframe source.

@slide
Copy link
Member

slide commented Dec 5, 2024

I think all of that is outside the scope of this PR, so I'm happy to merge and look at options for full compliance later.

@slide slide merged commit fa02568 into jenkinsci:main Dec 5, 2024
17 checks passed
@basil basil added the internal label Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slide slide slide approved these changes

Assignees
No one assigned
Labels
internal
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yaroslavafenkin @slide @basil