Backport 2.541.1 (#26070)

Author: MarkEWaite

core/src/main/java/jenkins/security/csp/CspHeader.java

@@ -24,6 +24,7 @@
 
 package jenkins.security.csp;
 
+import edu.umd.cs.findbugs.annotations.CheckForNull;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.Beta;
 
@@ -35,14 +36,16 @@
 @Restricted(Beta.class)
 public enum CspHeader {
     ContentSecurityPolicy("Content-Security-Policy"),
-    ContentSecurityPolicyReportOnly("Content-Security-Policy-Report-Only");
+    ContentSecurityPolicyReportOnly("Content-Security-Policy-Report-Only"),
+    None(null);
 
     private final String headerName;
 
     CspHeader(String headerName) {
         this.headerName = headerName;
     }
 
+    @CheckForNull
     public String getHeaderName() {
         return headerName;
     }

core/src/main/java/jenkins/security/csp/impl/CspDecorator.java

@@ -105,10 +105,11 @@ public String getReportingEndpointsHeaderValue(HttpServletRequest req) {
     }
 
     /**
-     * Determines the name of the HTTP header to set.
+     * Determines the name of the HTTP header to set, or {@code null} if none.
      *
      * @return the name of the HTTP header to set.
      */
+    @CheckForNull
     public String getContentSecurityPolicyHeaderName() {
         final Optional<CspHeaderDecider> decider = CspHeaderDecider.getCurrentDecider();
         if (decider.isPresent()) {

core/src/main/java/jenkins/security/csp/impl/CspFilter.java

@@ -61,12 +61,14 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
 
         CspDecorator cspDecorator = ExtensionList.lookupSingleton(CspDecorator.class);
         final String headerName = cspDecorator.getContentSecurityPolicyHeaderName();
+        final boolean headerShouldBeSet = headerName != null;
 
         // This is the preliminary value outside Stapler request handling (and providing a context object)
         final String headerValue = cspDecorator.getContentSecurityPolicyHeaderValue(req);
 
         final boolean isResourceRequest = ResourceDomainConfiguration.isResourceRequest(req);
-        if (!isResourceRequest) {
+
+        if (headerShouldBeSet && !isResourceRequest) {
             // The Filter/Decorator approach needs us to "set" headers rather than "add", so no additional endpoints are supported at the moment.
             final String reportingEndpoints = cspDecorator.getReportingEndpointsHeaderValue(req);
             if (reportingEndpoints != null) {
@@ -78,14 +80,16 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
         try {
             chain.doFilter(req, rsp);
         } finally {
-            try {
-                final String actualHeader = rsp.getHeader(headerName);
-                if (!isResourceRequest && hasUnexpectedDifference(headerValue, actualHeader)) {
-                    LOGGER.log(Level.FINE, "CSP header has unexpected differences: Expected '" + headerValue + "' but got '" + actualHeader + "'");
+            if (headerShouldBeSet) {
+                try {
+                    final String actualHeader = rsp.getHeader(headerName);
+                    if (!isResourceRequest && hasUnexpectedDifference(headerValue, actualHeader)) {
+                        LOGGER.log(Level.FINE, "CSP header has unexpected differences: Expected '" + headerValue + "' but got '" + actualHeader + "'");
+                    }
+                } catch (RuntimeException e) {
+                    // Be defensive just in case
+                    LOGGER.log(Level.FINER, "Error checking CSP header after request processing", e);
                 }
-            } catch (RuntimeException e) {
-                // Be defensive just in case
-                LOGGER.log(Level.FINER, "Error checking CSP header after request processing", e);
             }
         }
     }

core/src/main/java/jenkins/security/csp/impl/SystemPropertyHeaderDecider.java

@@ -25,7 +25,9 @@
 package jenkins.security.csp.impl;
 
 import hudson.Extension;
+import hudson.Util;
 import java.util.Arrays;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -50,7 +52,8 @@ public Optional<CspHeader> decide() {
         final String systemProperty = SystemProperties.getString(SYSTEM_PROPERTY_NAME);
         if (systemProperty != null) {
             LOGGER.log(Level.FINEST, "Using system property: {0}", new Object[]{ systemProperty });
-            return Arrays.stream(CspHeader.values()).filter(h -> h.getHeaderName().equals(systemProperty)).findFirst();
+            final String expected = Util.fixEmptyAndTrim(systemProperty);
+            return Arrays.stream(CspHeader.values()).filter(h -> Objects.equals(expected, h.getHeaderName())).findFirst();
         }
         return Optional.empty();
     }

core/src/main/java/jenkins/telemetry/impl/ContentSecurityPolicy.java

@@ -0,0 +1,105 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2025, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package jenkins.telemetry.impl;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Extension;
+import hudson.ExtensionList;
+import java.time.LocalDate;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+import java.util.TreeSet;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.util.stream.Collectors;
+import jenkins.security.csp.AdvancedConfigurationDescriptor;
+import jenkins.security.csp.Contributor;
+import jenkins.security.csp.CspBuilder;
+import jenkins.security.csp.CspHeader;
+import jenkins.security.csp.CspHeaderDecider;
+import jenkins.security.csp.impl.CspConfiguration;
+import jenkins.telemetry.Telemetry;
+import net.sf.json.JSONObject;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+/**
+ * Collect information about Content Security Policy configuration.
+ *
+ */
+@Restricted(NoExternalUse.class)
+@Extension
+public class ContentSecurityPolicy extends Telemetry {
+
+    private static final Logger LOGGER = Logger.getLogger(ContentSecurityPolicy.class.getName());
+
+    @NonNull
+    @Override
+    public String getDisplayName() {
+        return "Content Security Policy";
+    }
+
+    @NonNull
+    @Override
+    public LocalDate getStart() {
+        return LocalDate.of(2025, 12, 1);
+    }
+
+    @NonNull
+    @Override
+    public LocalDate getEnd() {
+        return LocalDate.of(2026, 6, 1);
+    }
+
+    @Override
+    public JSONObject createContent() {
+        final JSONObject data = new JSONObject();
+        data.put("enforce", ExtensionList.lookupSingleton(CspConfiguration.class).isEnforce());
+        final Optional<CspHeaderDecider> decider = CspHeaderDecider.getCurrentDecider();
+        data.put("decider", decider.map(Object::getClass).map(Class::getName).orElse(null));
+        data.put("header", decider.map(CspHeaderDecider::decide).filter(Optional::isPresent).map(Optional::get).map(CspHeader::getHeaderName).orElse(null));
+
+        Set<String> contributors = new TreeSet<>();
+        ExtensionList.lookup(Contributor.class).stream().map(Contributor::getClass).map(Class::getName).forEach(contributors::add);
+        data.put("contributors", contributors);
+
+        Set<String> configurations = new TreeSet<>();
+        ExtensionList.lookup(AdvancedConfigurationDescriptor.class).stream().map(AdvancedConfigurationDescriptor::getClass).map(Class::getName).forEach(configurations::add);
+        data.put("configurations", configurations);
+
+        try {
+            Map<String, Map<String, Integer>> directivesSize = new CspBuilder().withDefaultContributions().getMergedDirectives().stream()
+                    .map(d -> Map.entry(d.name(), Map.of("entries", d.values().size(), "chars", String.join(" ", d.values()).length())))
+                    .collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue));
+            data.put("directivesSize", directivesSize);
+        } catch (RuntimeException ex) {
+            LOGGER.log(Level.FINE, "Error during directive processing", ex);
+        }
+
+        data.put("components", buildComponentInformation());
+        return data;
+    }
+}

core/src/main/java/jenkins/telemetry/impl/JavaSystemProperties.java

@@ -70,13 +70,13 @@ public String getDisplayName() {
     @NonNull
     @Override
     public LocalDate getStart() {
-        return LocalDate.of(2023, 12, 17);
+        return LocalDate.of(2026, 1, 4);
     }
 
     @NonNull
     @Override
     public LocalDate getEnd() {
-        return LocalDate.of(2024, 4, 1);
+        return LocalDate.of(2026, 4, 1);
     }
 
     @Override

core/src/main/resources/hudson/model/Run/console-log.jelly

@@ -29,7 +29,7 @@
     </j:when>
     <!-- output is completed now. -->
     <j:otherwise>
-      <pre class="console-output">
+      <pre id="out" class="console-output">
         <st:getOutput var="output" />
         <j:whitespace>${it.writeLogTo(offset,output)}</j:whitespace>
       </pre>

core/src/main/resources/hudson/slaves/Cloud/sidepanel.jelly

@@ -27,10 +27,11 @@ THE SOFTWARE.
     <l:header />
     <l:side-panel>
         <l:tasks>
-            <l:task contextMenu="false" href="." icon="symbol-computer" title="${%Status}"/>
-            <l:task href="configure" icon="symbol-settings"
+            <j:set var="url" value="${h.getNearestAncestorUrl(request2,it)}"/>
+            <l:task contextMenu="false" href="${url}/" icon="symbol-computer" title="${%Status}"/>
+            <l:task href="${url}/configure" icon="symbol-settings"
                     title="${app.hasPermission(app.ADMINISTER) ? '%Configure' : '%View Configuration'}"/>
-            <l:delete permission="${app.ADMINISTER}" title="${%Delete Cloud}" message="${%delete.cloud(it.displayName)}"/>
+            <l:delete permission="${app.ADMINISTER}" title="${%Delete Cloud}" message="${%delete.cloud(it.displayName)}" urlPrefix="${url}"/>
             <t:actions />
         </l:tasks>
         <j:forEach var="action" items="${it.allActions}">

core/src/main/resources/jenkins/security/csp/impl/CspDecorator/httpHeaders.jelly

@@ -23,6 +23,9 @@ THE SOFTWARE.
 -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler">
-    <st:setHeader name="${it.getContentSecurityPolicyHeaderName()}" value="${it.getContentSecurityPolicyHeaderValue(request2)}" />
-    <st:setHeader name="Reporting-Endpoints" value="${it.getReportingEndpointsHeaderValue(request2)}" />
+    <j:set var="cspHeaderName" value="${it.getContentSecurityPolicyHeaderName()}"/>
+    <j:if test="${cspHeaderName != null}">
+        <st:setHeader name="${cspHeaderName}" value="${it.getContentSecurityPolicyHeaderValue(request2)}" />
+        <st:setHeader name="Reporting-Endpoints" value="${it.getReportingEndpointsHeaderValue(request2)}" />
+    </j:if>
 </j:jelly>

core/src/main/resources/jenkins/security/csp/impl/SystemPropertyHeaderDecider/message.jelly

@@ -23,5 +23,14 @@ THE SOFTWARE.
 -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form">
-    <f:description>${%blurb(it.headerName)}</f:description>
+    <f:description>
+        <j:choose>
+            <j:when test="${it.headerName != null}">
+                ${%blurb(it.headerName)}
+            </j:when>
+            <j:otherwise>
+                ${%blurbUnset}
+            </j:otherwise>
+        </j:choose>
+    </f:description>
 </j:jelly>