Add target attribute to badges and summaries#244
Conversation
|
@chonton First of all thanks for the contribution. I’ll review the changes and come back to you. Already looks good, I just want to verify if it is breaking compatibility with consumers of the plugin. |
|
@chonton Changes look good so far. I had to retain the old constructors to keep compatibility with upstream One thing I'm a little worried about is that the |
|
Anchor target=_blank implies rel=noopener by default Unsanitized input is a concern. How are cssClass and style sanitized? |
Fair point. I did some more testing and did not find any issues with it so far. One thing I would like to also add is the support for |
strangelookingnerd
changed the title
target attribute to badges and summaries
|
My use case is more urgent for AddBadge target, and I can wait. I was dismayed that hudson/summary did not have "target" support and did not look further. Many thanks for knowing (or finding) that fix. I suspect that adding target to summary won't break this plugin, even if the jenkins instance is not updated. |
|
After discussion with @daniel-beck in jenkinsci/jenkins#10508 I came to the conclusion that it would be better (= safer & less error prone) to not allow setting the @chonton Is this fine for your requirement / use case or do you actually need to set the |
|
I intend to have a target per badge type. For the github link, target would be 'github'. For the jira link, target would be 'jira'. For the 'sonarqube' link, target would be 'sonarqube'. For the 'snyk' link, target would be 'snyk'. What is the supported set of browsers? Should this plugin support hopelessly outdated browsers that have many other security flaws? Browsers since ~2021 have automatically defaulted rel="noopener" behavior for target="_blank". The firefox hack requiring rel="norefer" has likewise been fixed in that timeframe. |
Okay, I see. Thanks for the clarification. For badges that should be possible as the implementation does not rely on something from |
mPokornyETM
left a comment
mPokornyETM
left a comment
There was a problem hiding this comment.
Mya you pls paste screenshot before and after your changes.
src/main/resources/com/jenkinsci/plugins/badge/action/BadgeSummaryAction/summary.jelly
As a matter of fact there is no difference here. Visuals are identical as the changes I made in |
I see and undestand that. But exactly therefore I want to see, that everything is fine. Just for validation. My aproval is done |
|
@mPokornyETM Could you hold off releasing this for a bit? I want to check something. |
|
@daniel-beck Just ping me whenever you are done checking something 😄 I wanted to include something else in the next release anyway that is lying in my workspace for some time now. |
|
Related to our core conversaion, I had to check what Cross-Origin-Opener-Policy does again, given that this PR allows setting AFAIUI as a result of that option this PR will not create problems if a lowly Job/Configure'r defines badges, as they won't be able to mess with other users' browsers, so should be fine. If you know more, now would be a great time to let me know 😉 |
That pretty much confirms what I verified on my end as well. As #244 (comment) points out, all supported browsers already provide sufficient measures to mitigate any harmful configuration. I further found no way to mess up the Jenkins UI with any misconfiguration. What's left are the points raised in jenkinsci/jenkins#10508 (comment). Leaving the value of a |
4 participants
Add target attribute to AddBadge. Target is the anchor target, allowing badge to link to specified frame; end user does not need to context click to open link in new tab.
Testing done
Unit tests and hpi:run manual testing to verify link with target works as expected
Submitter checklist