simple-theme-plugin icon indicating copy to clipboard operation
simple-theme-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

CSS text theme element is not CSP compliant

Open mawinter69 opened this issue 1 year ago • 1 comments

What feature do you want to see added?

When you add a CssTextTheme element, this is rendered as an inline style element. This is a violation of common CSP settings. The Element should either be deprecated or changed in a way so that it generates an url from were the css is loaded e.g. via an UnprotectedRootAction

Upstream changes

No response

Are you interested in contributing this feature?

No response

mawinter69 avatar Aug 23 '24 20:08 mawinter69

Hmm. Are such strict CSPs common? I commonly saw "safe" policies using "unsafe-inline" for styles. Even https://csp-evaluator.withgoogle.com/ does not complain about "unsafe-inline" for styles.

(Nevertheless, I do agree it would be better to change the plugin to not need such exceptions...)

TobiX avatar Aug 27 '24 15:08 TobiX

For now, for practical reasons, both CSP plugin 1.x (legacy) defaults, and https://www.jenkins.io/changelog/2.539/ defaults, allow style-src 'unsafe-inline'.

daniel-beck avatar Nov 25 '25 18:11 daniel-beck