Skip to content

Redirects to jenkins.io after form submissions are being rejected in Chrome for violating CSP #26001

New issue
New issue
Open
Bug
#26207
Open
Redirects to jenkins.io after form submissions are being rejected in Chrome for violating CSP#26001
Bug
#26207
Assignees
daniel-beck
Labels
csplts-candidateWhen fixed, this issue should be considered for backporting to the LTS line
@daniel-beck

Description

@daniel-beck
daniel-beck
opened on Dec 28, 2025

Jenkins and plugins versions report

n/a

What Operating System are you using (both controller, and any agents involved in the problem)?

n/a

Reproduction steps

It's a somewhat common pattern in Jenkins to have the #doAct method in admin monitors redirect to documentation. Core occurrences:

jenkins/core/src/main/java/hudson/diagnosis/ReverseProxySetupMonitor.java

Line 130 in 474f2aa

return new HttpRedirect("https://www.jenkins.io/redirect/troubleshooting/broken-reverse-proxy");

jenkins/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java

Line 187 in 474f2aa

rsp.sendRedirect("https://www.jenkins.io/redirect/csrf-protection/");

jenkins/core/src/main/java/jenkins/monitor/JavaVersionRecommendationAdminMonitor.java

Line 142 in 474f2aa

return new HttpRedirect("https://jenkins.io/redirect/java-support/");

This doesn't work in Chrome when CSP is enforcing form-action in Jenkins 2.539+. Per https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/form-action,

Warning: Whether form-action should block redirects after a form submission is debated and browser implementations of this aspect are inconsistent (e.g., Firefox 57 doesn't block the redirects whereas Chrome 63 does).

Expected Results

Redirect works.

Actual Results

It doesn't.

Anything else?

No response

Are you interested in contributing a fix?

No response

Metadata

Metadata

Assignees

Labels

csplts-candidateWhen fixed, this issue should be considered for backporting to the LTS line

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions