CSP compatibility improvements #533
Conversation
| @@ -49,10 +49,6 @@ | |||
| </f:bottomButtonBar> | |||
| </f:form> | |||
| </j:scope> | |||
| <script> | |||
There was a problem hiding this comment.
The sticky footer no longer needs realigning explicitly from JS.
| @@ -72,10 +72,6 @@ | |||
| <f:submit value="${%Create}"/> | |||
| </f:bottomButtonBar> | |||
| </f:form> | |||
| <script> | |||
There was a problem hiding this comment.
The sticky footer no longer needs realigning explicitly from JS.
| @@ -44,7 +44,7 @@ | |||
| <j:otherwise> | |||
| <f:form action="configSubmit" method="POST" name="config"> | |||
| <f:entry title="${%Name}" help="/plugin/credentials/help/domain/name.html"> | |||
| <f:textbox field="name" id="name" onchange="updateSave(this.form)" onkeyup="updateSave(this.form)"/> | |||
| <f:textbox field="name" clazz="required-for-submit"/> | |||
There was a problem hiding this comment.
Moved to formBehaviour.js
| @@ -54,28 +54,14 @@ | |||
| items="${instance.specifications}"/> | |||
| </f:entry> | |||
| <f:bottomButtonBar> | |||
| <input type="submit" name="Submit" value="${%Save}" id="save" class="submit-button primary" /> | |||
| <button formnovalidate="formNoValidate" id="save" name="Submit" class="jenkins-button jenkins-button--primary"> | |||
There was a problem hiding this comment.
Switched to standard button to avoid the need for makeButton JS function.
| } | ||
|
|
||
| // workaround for JENKINS-19124 | ||
| // without this script, the password changes will be not trigger the check on the uploadedKeystore |
There was a problem hiding this comment.
The code changed significantly but the reasoning is still the same: I couldn't find a way how to make password textfield trigger validation of the cert field, since there are multiple fields named password in the form and they are on higher level than the cert upload field.
There was a problem hiding this comment.
@RealativePath(..) is the way. There is a bug https://issues.jenkins.io/browse/JENKINS-65616 that causes this to work for some validation triggers, but not others.
There was a problem hiding this comment.
The relative path can't be just password because the field is on a higher level. But the relative path ../password matches the wrong password.
zbynek
force-pushed
the
csp
branch
3 times, most recently
from
8a4ee3f
to
da5c849
Compare
| @@ -0,0 +1,57 @@ | |||
| // multiple objects named "password" in the form => | |||
| // extend findNearBy to allow selecting by id | |||
| if (!findNearBy.patched) { | |||
There was a problem hiding this comment.
I think allowing IDs or CSS selectors in checkDependsOn instead of just names would help with ambiguities. Should be probably done in core, but for now can be patched in plugins like this.
@daniel-beck do you have a better idea?
There was a problem hiding this comment.
@jenkinsci/core-security-review Any objection to this technique?
...s/plugins/credentials/impl/CertificateCredentialsImpl/UploadedKeyStoreSource/configUpload.js
Outdated
Show resolved
Hide resolved
The YUI library is old and no longer maintained. Add a user experimental flag to disable YUI. It's disabled by default. When enabling all the YUI related js libraries and css classes are not loaded. Following PR are required to get Jenkins to not show any errors eventually jenkinsci#7569 Some plugins that use YUI (not complete): credentials ldap global-build-stats build-monitor categorized-view Plugins that make use of makeButton (not complete) credentials (fixed with jenkinsci/credentials-plugin#533) openid acceptance-test-harness
The YUI library is old and no longer maintained. Add a user experimental flag to disable YUI. It's disabled by default. When enabling all the YUI related js libraries and css classes are not loaded. Following PR are required to get Jenkins to not show any errors eventually jenkinsci#7569 Some plugins that use YUI (not complete): credentials ldap global-build-stats build-monitor categorized-view Plugins that make use of makeButton (not complete) credentials (fixed with jenkinsci/credentials-plugin#533) openid acceptance-test-harness
* experimental flag to run Jenkins without YUI The YUI library is old and no longer maintained. Add a user experimental flag to disable YUI. It's disabled by default. When enabling all the YUI related js libraries and css classes are not loaded. Following PR are required to get Jenkins to not show any errors eventually #7569 Some plugins that use YUI (not complete): credentials ldap global-build-stats build-monitor categorized-view Plugins that make use of makeButton (not complete) credentials (fixed with jenkinsci/credentials-plugin#533) openid acceptance-test-harness * fix typo Co-authored-by: Jan Faracik <43062514+janfaracik@users.noreply.github.com> * add license and restrict class --------- Co-authored-by: Jan Faracik <43062514+janfaracik@users.noreply.github.com>
|
@mawinter69 note that this is only partial fix for removing YUI from this plugin, there will still one YUI button and one popup menu left. |
|
I know #551 will do the rest |
| } | ||
| } | ||
|
|
||
| // workaround for JENKINS-65616 |
There was a problem hiding this comment.
JENKINS-65616 aka Form validation not working with different "level/layer" of fields
Somewhat related to https://issues.jenkins.io/browse/JENKINS-73166 which showed that
gevalis used by this plugin.This PR reduces usages of inline JS to improve CSP compatibility.
Testing done
Manually checked that the affected functionality is still OK:
Submitter checklist