Skip to content

Make Secret Token updates work when CSP is enforced #1840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
krisstern merged 4 commits into from
Dec 5, 2025
Merged

Make Secret Token updates work when CSP is enforced #1840

krisstern merged 4 commits into from
Dec 5, 2025

Conversation

@daniel-beck
Copy link
Member

@daniel-beck daniel-beck commented Nov 25, 2025
edited
Loading

Fixes #1837 by no longer depending on the undocumented f:validateButton feature. I recommend squash-merging due to unclean PR commit history.

As a bonus, made the form field ID a little more unique, in case there'd be some other plugin with a secretToken field.

Testing done

Clicked the buttons in a freestyle config, see #1837. Saving still works, new value is effective on page load.

With CSP plugin installed, no new CSP findings in Manage Jenkins » Content Security Policy Report.

Screenshots

Before

Screenshot 2025-12-02 at 18 23 58

After

Screenshot 2025-12-02 at 18 21 54

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests that demonstrate the feature works or the issue is fixed

@github-actions github-actions bot added the dependencies Pull requests that update a dependency file label Nov 25, 2025
@daniel-beck daniel-beck marked this pull request as ready for review December 2, 2025 12:55
@daniel-beck daniel-beck requested a review from a team as a code owner December 2, 2025 12:55
krisstern
krisstern approved these changes Dec 5, 2025
View reviewed changes
Copy link
Member

@krisstern krisstern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @daniel-beck for the PR!
LGTM

@krisstern krisstern merged commit 1ef62f5 into jenkinsci:master Dec 5, 2025
18 checks passed
@daniel-beck daniel-beck deleted the fix-validateButton-script-csp branch December 5, 2025 15:56
@daniel-beck daniel-beck added the rfe label Dec 8, 2025
@darinpope darinpope mentioned this pull request Dec 8, 2025
Closed
@daniel-beck daniel-beck mentioned this pull request Dec 8, 2025
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@krisstern krisstern krisstern approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rfe

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

The buttons "Generate" and "Clear" for the "Secret token" configuration break with CSP prohibiting inline scripts

2 participants

@daniel-beck @krisstern