Merge branch 'master' into progressive-rendering-fix

Author: MarkEWaite

.github/workflows/announce-lts-rc.yml

@@ -17,7 +17,7 @@ jobs:
           discourse-author-username: jenkins-release-bot
           discourse-category: 23
       - name: Post on mailing list
-        uses: dawidd6/action-send-mail@afe978662944c6805dd197bac88b27acb0bda55a # v8
+        uses: dawidd6/action-send-mail@62a2d05b79935ad4fb90ce9079928099579c14ac # v9
         with:
           server_address: smtp.gmail.com
           server_port: 465

Jenkinsfile

@@ -71,7 +71,7 @@ axes.values().combinations {
     }
     int retryCount = 0
     retry(conditions: [kubernetesAgent(handleNonKubernetes: true), nonresumable()], count: 2) {
-      if (retryCount == 1 && platform == 'windows' ) {
+      if (retryCount == 1) {
         agentContainerLabel = agentContainerLabel + '-nonspot'
       }
       // Increment before allocating the node in case it fails

bom/pom.xml

@@ -41,7 +41,7 @@ THE SOFTWARE.
     <commons-fileupload2.version>2.0.0-M4</commons-fileupload2.version>
     <groovy.version>2.4.21</groovy.version>
     <jelly.version>1.1-jenkins-20250731</jelly.version>
-    <stapler.version>2072.ve00de895a_40c</stapler.version>
+    <stapler.version>2074.v6ff4fa_fccff7</stapler.version>
   </properties>
 
   <dependencyManagement>

core/src/main/java/hudson/diagnosis/ReverseProxySetupMonitor.java

@@ -34,6 +34,7 @@
 import java.util.logging.Logger;
 import jenkins.model.Jenkins;
 import jenkins.security.stapler.StaplerDispatchable;
+import jenkins.util.ClientHttpRedirect;
 import org.jenkinsci.Symbol;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.DoNotUse;
@@ -127,7 +128,7 @@ public HttpResponse doAct(@QueryParameter String no) throws IOException {
             // of course the irony is that this redirect won't work
             return HttpResponses.redirectViaContextPath("/manage");
         } else {
-            return new HttpRedirect("https://www.jenkins.io/redirect/troubleshooting/broken-reverse-proxy");
+            return new ClientHttpRedirect("https://www.jenkins.io/redirect/troubleshooting/broken-reverse-proxy");
         }
     }
 

core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java

@@ -24,15 +24,17 @@
 import java.util.logging.Logger;
 import jenkins.model.Jenkins;
 import jenkins.security.HexStringConfidentialKey;
+import jenkins.util.ClientHttpRedirect;
 import jenkins.util.SystemProperties;
 import net.sf.json.JSONObject;
 import org.jenkinsci.Symbol;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.HttpResponse;
+import org.kohsuke.stapler.HttpResponses;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest2;
-import org.kohsuke.stapler.StaplerResponse2;
 import org.kohsuke.stapler.verb.POST;
 import org.springframework.security.core.Authentication;
 
@@ -181,15 +183,14 @@ public String getDisplayName() {
         }
 
         @POST
-        public void doAct(StaplerRequest2 req, StaplerResponse2 rsp, @QueryParameter String learn, @QueryParameter String dismiss) throws IOException, ServletException {
+        public HttpResponse doAct(StaplerRequest2 req, @QueryParameter String learn, @QueryParameter String dismiss) throws IOException, ServletException {
             if (learn != null) {
-                rsp.sendRedirect("https://www.jenkins.io/redirect/csrf-protection/");
-                return;
+                return new ClientHttpRedirect("https://www.jenkins.io/redirect/csrf-protection/");
             }
             if (dismiss != null) {
                 disable(true);
             }
-            rsp.forwardToPreviousPage(req);
+            return HttpResponses.forwardToPreviousPage();
         }
     }
 

core/src/main/java/hudson/util/HttpResponses.java

@@ -31,6 +31,7 @@
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.Map;
+import jenkins.util.ClientHttpRedirect;
 import net.sf.json.JSONArray;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.HttpResponse;
@@ -51,6 +52,16 @@ public static HttpResponse staticResource(File f) throws IOException {
         return staticResource(f.toURI().toURL());
     }
 
+    /**
+     * Redirect to the given URL via a client-side JS/meta tag redirect.
+     * @param url the URL to redirect to
+     * @return the HttpResponse
+     * @since TODO
+     */
+    public static HttpResponse clientRedirectTo(String url) {
+        return new ClientHttpRedirect(url);
+    }
+
     /**
      * Create an empty "ok" response.
      *

core/src/main/java/jenkins/agents/CloudSet.java

@@ -225,9 +225,8 @@ public synchronized void doCreate(StaplerRequest2 req, StaplerResponse2 rsp,
 
             // copy through XStream
             String xml = Jenkins.XSTREAM.toXML(src);
-            // Not great, but cloud name is final
-            xml = xml.replace("<name>" + src.name + "</name>", "<name>" + name + "</name>");
             Cloud result = (Cloud) Jenkins.XSTREAM.fromXML(xml);
+            result.name = name;
             jenkins.clouds.add(result);
             // send the browser to the config page
             rsp.sendRedirect2(Functions.getNearestAncestorUrl(req, jenkins) + "/" + result.getUrl() + "configure");

core/src/main/java/jenkins/monitor/JavaVersionRecommendationAdminMonitor.java

@@ -38,12 +38,12 @@
 import java.util.NavigableMap;
 import java.util.TreeMap;
 import jenkins.model.Jenkins;
+import jenkins.util.ClientHttpRedirect;
 import jenkins.util.SystemProperties;
 import org.jenkinsci.Symbol;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.DoNotUse;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
-import org.kohsuke.stapler.HttpRedirect;
 import org.kohsuke.stapler.HttpResponse;
 import org.kohsuke.stapler.HttpResponses;
 import org.kohsuke.stapler.QueryParameter;
@@ -138,7 +138,7 @@ public HttpResponse doAct(@QueryParameter String no) throws IOException {
             disable(true);
             return HttpResponses.forwardToPreviousPage();
         } else {
-            return new HttpRedirect("https://jenkins.io/redirect/java-support/");
+            return new ClientHttpRedirect("https://jenkins.io/redirect/java-support/");
         }
     }
 

core/src/main/java/jenkins/security/csp/impl/CspFilter.java

@@ -63,12 +63,14 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
         final String headerName = cspDecorator.getContentSecurityPolicyHeaderName();
         final boolean headerShouldBeSet = headerName != null;
 
-        // This is the preliminary value outside Stapler request handling (and providing a context object)
-        final String headerValue = cspDecorator.getContentSecurityPolicyHeaderValue(req);
-
         final boolean isResourceRequest = ResourceDomainConfiguration.isResourceRequest(req);
 
+        String headerValue = "";
+
         if (headerShouldBeSet && !isResourceRequest) {
+            // This is the preliminary value outside Stapler request handling (and providing a context object)
+            headerValue = cspDecorator.getContentSecurityPolicyHeaderValue(req);
+
             // The Filter/Decorator approach needs us to "set" headers rather than "add", so no additional endpoints are supported at the moment.
             final String reportingEndpoints = cspDecorator.getReportingEndpointsHeaderValue(req);
             if (reportingEndpoints != null) {
@@ -80,10 +82,10 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
         try {
             chain.doFilter(req, rsp);
         } finally {
-            if (headerShouldBeSet) {
+            if (headerShouldBeSet && !isResourceRequest) {
                 try {
                     final String actualHeader = rsp.getHeader(headerName);
-                    if (!isResourceRequest && hasUnexpectedDifference(headerValue, actualHeader)) {
+                    if (hasUnexpectedDifference(headerValue, actualHeader)) {
                         LOGGER.log(Level.FINE, "CSP header has unexpected differences: Expected '" + headerValue + "' but got '" + actualHeader + "'");
                     }
                 } catch (RuntimeException e) {

core/src/main/java/jenkins/util/ClientHttpRedirect.java

@@ -0,0 +1,49 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2026, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package jenkins.util;
+
+import hudson.Util;
+import jakarta.servlet.ServletException;
+import java.io.IOException;
+import org.kohsuke.stapler.HttpResponse;
+import org.kohsuke.stapler.StaplerRequest2;
+import org.kohsuke.stapler.StaplerResponse2;
+
+/**
+ * An HTTP response that redirects the client to the given URL.
+ * Unlike {@link org.kohsuke.stapler.HttpRedirect}, this implements a client-side redirect (using meta tag and/or JavaScript).
+ * This allows the redirect to work even when Content Security Policy is enforced in Chrome
+ * (which applies {@code form-action} to redirects after form submission).
+ * @see <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/form-action">MDN documentation on form-action</a>
+ * @see <a href="https://github.com/w3c/webappsec-csp/issues/8">Content Security Policy issue discussing this behavior</a>
+ * @since TODO
+ */
+public record ClientHttpRedirect(String redirectUrl) implements HttpResponse {
+    @Override
+    public void generateResponse(StaplerRequest2 req, StaplerResponse2 rsp, Object o) throws IOException, ServletException {
+        rsp.setContentType("text/html;charset=UTF-8");
+        Util.printRedirect(req.getContextPath(), redirectUrl, redirectUrl, rsp.getWriter());
+    }
+}