You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/doc/developer/security/csp.adoc
+12Lines changed: 12 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -44,6 +44,9 @@ This header is used to return JavaScript code to be executed on the client side.
44
44
Resources loaded from other domains::
45
45
Any images, scripts, styles, etc. loaded from other domains cause problems.
46
46
Resources should be hosted by Jenkins.
47
+
Redirecting to a different domain in response to a form submission::
48
+
Google Chrome refuses to be redirected using HTTP 3xx responses based on the `form-action` CSP directive.
49
+
A relatively common example of this is some administrative monitors, which handle a form submission for a "Learn more" (or similarly labeled) button by redirecting users to documentation on jenkins.io.
47
50
48
51
49
52
== Dynamically Identifying Plugins
@@ -231,6 +234,15 @@ Any dynamically determined images (e.g., "avatar" images based on user configura
231
234
In this case, make sure that only administrators can ultimately configure the domains that images can be loaded from.
232
235
For example, regular Jenkins users should not be able to, e.g., edit their user profile or configure a job in a certain way to allow a domain of their choice.
233
236
237
+
=== Redirecting to a different domain in response to a form submission
238
+
239
+
Jenkins 2.TODO introduces the `ClientHttpRedirect` and `HttpResponses#clientRedirectTo` APIs to perform client-side redirects after form submissions, which bypasses Google Chrome's CSP restrictions.
240
+
Use these instead of `HttpRedirect` or `HttpResponses#redirectTo`.
241
+
242
+
Alternatively, you can switch from `f:submit` or a `button` to a link, which can be made to look like a button: `<a class="jenkins-button">` (optionally other classes adding the correct primary/secondary/tertiary style).
243
+
This does not require updating your Jenkins core dependency to 2.TODO.
244
+
Another benefit of links is that you can set them up to always open in a new window with `target="_blank" rel="noopener noreferrer"`, preventing accidental navigation away from Jenkins on the current view.
0 commit comments