[JENKINS-76263] Add Content-Security-Policy header (#11269)

Author: daniel-beck

core/src/main/java/hudson/markup/MarkupFormatter.java

@@ -35,11 +35,8 @@
 import java.io.Writer;
 import java.util.Collections;
 import java.util.Map;
-import java.util.function.Function;
 import java.util.logging.Level;
 import java.util.logging.Logger;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
 import jenkins.util.SystemProperties;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
@@ -133,7 +130,7 @@ public HttpResponse doPreviewDescription(@QueryParameter String text) throws IOE
         translate(text, w);
         Map<String, String> extraHeaders = Collections.emptyMap();
         if (PREVIEWS_SET_CSP) {
-            extraHeaders = Stream.of("Content-Security-Policy", "X-WebKit-CSP", "X-Content-Security-Policy").collect(Collectors.toMap(Function.identity(), v -> "default-src 'none';"));
+            extraHeaders = Map.of("Content-Security-Policy", "default-src 'none';");
         }
         return html(200, w.toString(), extraHeaders);
     }

core/src/main/java/hudson/model/DirectoryBrowserSupport.java

@@ -64,6 +64,7 @@
 import jenkins.security.MasterToSlaveCallable;
 import jenkins.security.ResourceDomainConfiguration;
 import jenkins.security.ResourceDomainRootAction;
+import jenkins.security.csp.CspHeader;
 import jenkins.util.SystemProperties;
 import jenkins.util.VirtualFile;
 import org.apache.commons.io.IOUtils;
@@ -398,13 +399,14 @@ private void serveFile(StaplerRequest2 req, StaplerResponse2 rsp, VirtualFile ro
                 rsp.sendRedirect(302, ResourceDomainRootAction.get().getRedirectUrl(resourceToken, req.getRestOfPath()));
             } else {
                 if (!ResourceDomainConfiguration.isResourceRequest(req)) {
-                    // if we're serving this from the main domain, set CSP headers
+                    // If we're serving this from the main domain, set CSP headers. These override the default CSP headers.
                     String csp = SystemProperties.getString(CSP_PROPERTY_NAME, DEFAULT_CSP_VALUE);
                     if (!csp.trim().isEmpty()) {
                         // allow users to prevent sending this header by setting empty system property
-                        for (String header : new String[]{"Content-Security-Policy", "X-WebKit-CSP", "X-Content-Security-Policy"}) {
-                            rsp.setHeader(header, csp);
-                        }
+                        rsp.setHeader(CspHeader.ContentSecurityPolicy.getHeaderName(), csp);
+                    } else {
+                        // Clear the header value if configured by the user.
+                        rsp.setHeader(CspHeader.ContentSecurityPolicy.getHeaderName(), null);
                     }
                 }
                 InputStream in;

core/src/main/java/hudson/model/UsageStatistics.java

@@ -67,6 +67,8 @@
 import jenkins.security.FIPS140;
 import jenkins.util.SystemProperties;
 import net.sf.json.JSONObject;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.kohsuke.stapler.StaplerRequest2;
 
 /**
@@ -103,8 +105,7 @@ public UsageStatistics(String keyImage) {
      * Returns true if it's time for us to check for new version.
      */
     public boolean isDue() {
-        // user opted out (explicitly or FIPS is requested). no data collection
-        if (!Jenkins.get().isUsageStatisticsCollected() || DISABLED || FIPS140.useCompliantAlgorithms()) {
+        if (!isEnabled()) {
             return false;
         }
 
@@ -116,6 +117,19 @@ public boolean isDue() {
         return false;
     }
 
+    /**
+     * Returns whether between UI configuration, system property, and environment,
+     * usage statistics should be submitted.
+     *
+     * @return true if and only if usage stats should be submitted
+     * @since TODO
+     */
+    @Restricted(NoExternalUse.class)
+    public static boolean isEnabled() {
+        // user opted out (explicitly or FIPS is requested). no data collection
+        return Jenkins.get().isUsageStatisticsCollected() && !DISABLED && !FIPS140.useCompliantAlgorithms();
+    }
+
     private RSAPublicKey getKey() {
         try {
             if (key == null) {

core/src/main/java/hudson/util/FormFieldValidator.java

@@ -231,9 +231,7 @@ private void _errorWithMarkup(String message, String cssClass) throws IOExceptio
         } else {
             response.setContentType("text/html;charset=UTF-8");
             if (APPLY_CONTENT_SECURITY_POLICY_HEADERS) {
-                for (String header : new String[]{"Content-Security-Policy", "X-WebKit-CSP", "X-Content-Security-Policy"}) {
-                    response.setHeader(header, "sandbox; default-src 'none';");
-                }
+                response.setHeader("Content-Security-Policy", "sandbox; default-src 'none';");
             }
             response.getWriter().print("<div class=" + cssClass + ">" +
                     message + "</div>");

core/src/main/java/hudson/util/FormValidation.java

@@ -612,9 +612,7 @@ public void generateResponse(StaplerRequest2 req, StaplerResponse2 rsp, Object n
     protected void respond(StaplerResponse2 rsp, String html) throws IOException, ServletException {
         rsp.setContentType("text/html;charset=UTF-8");
         if (APPLY_CONTENT_SECURITY_POLICY_HEADERS) {
-            for (String header : new String[]{"Content-Security-Policy", "X-WebKit-CSP", "X-Content-Security-Policy"}) {
-                rsp.setHeader(header, "sandbox; default-src 'none';");
-            }
+            rsp.setHeader("Content-Security-Policy", "sandbox; default-src 'none';");
         }
         rsp.getWriter().print(html);
     }

core/src/main/java/jenkins/model/navigation/UserAction.java

@@ -42,6 +42,9 @@
 @Extension(ordinal = -1)
 public class UserAction implements RootAction {
 
+    @Restricted(NoExternalUse.class)
+    public static final String AVATAR_SIZE = "96x96";
+
     @Override
     public String getIconFileName() {
         User current = User.current();
@@ -50,7 +53,7 @@ public String getIconFileName() {
             return null;
         }
 
-        return getAvatar(current, "96x96");
+        return getAvatar(current, AVATAR_SIZE);
     }
 
     @Override

core/src/main/java/jenkins/security/csp/AdvancedConfiguration.java

@@ -0,0 +1,61 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2025, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package jenkins.security.csp;
+
+import hudson.DescriptorExtensionList;
+import hudson.ExtensionList;
+import hudson.ExtensionPoint;
+import hudson.model.Describable;
+import java.util.Optional;
+import jenkins.model.Jenkins;
+import jenkins.security.csp.impl.CspConfiguration;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.Beta;
+
+/**
+ * Add more advanced options to the {@link jenkins.security.csp.impl.CspConfiguration} UI.
+ *
+ * @since TODO
+ */
+@Restricted(Beta.class)
+public abstract class AdvancedConfiguration implements Describable<AdvancedConfiguration>, ExtensionPoint {
+    public static DescriptorExtensionList<AdvancedConfiguration, AdvancedConfigurationDescriptor> all() {
+        return Jenkins.get().getDescriptorList(AdvancedConfiguration.class);
+    }
+
+    /**
+     * Return the currently configured {@link jenkins.security.csp.AdvancedConfiguration}, if any.
+     *
+     * @param clazz the {@link jenkins.security.csp.AdvancedConfiguration} type to look up
+     * @param <T> the {@link jenkins.security.csp.AdvancedConfiguration} type to look up
+     * @return the configured instance, if any
+     */
+    public static <T extends AdvancedConfiguration> Optional<T> getCurrent(Class<T> clazz) {
+        return ExtensionList.lookupSingleton(CspConfiguration.class).getAdvanced().stream()
+                        .filter(a -> a.getClass() == clazz)
+                        .map(clazz::cast)
+                        .findFirst();
+    }
+}

core/src/main/java/jenkins/security/csp/AdvancedConfigurationDescriptor.java

@@ -0,0 +1,38 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2025, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package jenkins.security.csp;
+
+import hudson.model.Descriptor;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.Beta;
+
+/**
+ * Descriptor for {@link jenkins.security.csp.AdvancedConfiguration}.
+ *
+ * @since TODO
+ */
+@Restricted(Beta.class)
+public abstract class AdvancedConfigurationDescriptor extends Descriptor<AdvancedConfiguration> {
+}

core/src/main/java/jenkins/security/csp/AvatarContributor.java

@@ -0,0 +1,129 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2025, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package jenkins.security.csp;
+
+import edu.umd.cs.findbugs.annotations.CheckForNull;
+import hudson.Extension;
+import hudson.ExtensionList;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.Beta;
+
+/**
+ * This is a general extension for use by implementations of {@link hudson.tasks.UserAvatarResolver}
+ * and {@code AvatarMetadataAction} from {@code scm-api} plugin, or other "avatar-like" use cases.
+ * It simplifies allowlisting safe sources of avatars by offering simple APIs that take a complete URL.
+ */
+@Restricted(Beta.class)
+@Extension
+public class AvatarContributor implements Contributor {
+    private static final Logger LOGGER = Logger.getLogger(AvatarContributor.class.getName());
+
+    private final Set<String> domains = ConcurrentHashMap.newKeySet();
+
+    @Override
+    public void apply(CspBuilder cspBuilder) {
+        domains.forEach(d -> cspBuilder.add("img-src", d));
+    }
+
+    /**
+     * Request addition of the domain of the specified URL to the allowed set of avatar image domains.
+     * <p>
+     *     This is a utility method intended to accept any avatar URL from an undetermined, but trusted (for images) domain.
+     *     If the specified URL is not {@code null}, has a host, and {@code http} or {@code https} scheme, its domain will
+     *     be added to the set of allowed domains.
+     * </p>
+     * <p>
+     *     <strong>Important:</strong> Only implementations restricting specification of avatar URLs to at least somewhat
+     *     privileged users to should invoke this method, for example users with at least {@link hudson.model.Item#CONFIGURE}
+     *     permission. Note that this guidance may change over time and require implementation changes.
+     * </p>
+     *
+     * @param url The avatar image URL whose domain should be added to the list of allowed domains
+     */
+    public static void allow(@CheckForNull String url) {
+        String domain = extractDomainFromUrl(url);
+
+        if (domain == null) {
+            LOGGER.log(Level.FINE, "Skipping null domain in avatar URL: " + url);
+            return;
+        }
+
+        if (ExtensionList.lookupSingleton(AvatarContributor.class).domains.add(domain)) {
+            LOGGER.log(Level.CONFIG, "Adding domain '" + domain + "' from avatar URL: " + url);
+        } else {
+            LOGGER.log(Level.FINEST, "Skipped adding duplicate domain '" + domain + "' from avatar URL: " + url);
+        }
+    }
+
+    /**
+     * Utility method extracting the domain specification for CSP fetch directives from a specified URL.
+     * If the specified URL is not {@code null}, has a host, and {@code http} or {@code https} scheme, this method
+     * will return its domain.
+     * This can be used by implementations of {@link jenkins.security.csp.Contributor} for which {@link #allow(String)}
+     * is not flexible enough (e.g., requesting administrator approval for a domain).
+     *
+     * @param url the URL
+     * @return the domain from the specified URL, or {@code null} if the URL does not satisfy the stated conditions
+     */
+    @CheckForNull
+    public static String extractDomainFromUrl(@CheckForNull String url) {
+        if (url == null) {
+            return null;
+        }
+        try {
+            final URI uri = new URI(url);
+            final String host = uri.getHost();
+            if (host == null) {
+                // If there's no host, assume a local path
+                LOGGER.log(Level.FINER, "Ignoring URI without host: " + url);
+                return null;
+            }
+            String domain = host;
+            final String scheme = uri.getScheme();
+            if (scheme != null) {
+                if (scheme.equals("http") || scheme.equals("https")) {
+                    domain = scheme + "://" + domain;
+                } else {
+                    LOGGER.log(Level.FINER, "Ignoring URI with unsupported scheme: " + url);
+                    return null;
+                }
+            }
+            final int port = uri.getPort();
+            if (port != -1) {
+                domain = domain + ":" + port;
+            }
+            return domain;
+        } catch (URISyntaxException e) {
+            LOGGER.log(Level.FINE, "Failed to parse avatar URI: " + url, e);
+            return null;
+        }
+    }
+}