Allow URL-specific avatar image sources in CSP

[somiljain2006]

Fixes #23888

Introduce URL-level allowlisting for avatar images to enable more targeted img-src CSP directives. This preserves the existing domain-based behavior while providing an opt-in API for plugins that can determine exact avatar URLs.

Testing done

Ensured all tests still passed.

Proposed changelog entries

Allow plugins to allowlist exact avatar image URLs in Content Security Policy.

Proposed changelog category

/label rfe

Proposed upgrade guidelines

N/A

Desired reviewers

@jenkinsci/core-pr-reviewers, @daniel-beck, @MarkEWaite, @strangelookingnerd

Before the changes are marked as ready-for-merge:

Maintainer checklist

• There are at least two (2) approvals for the pull request and no outstanding requests for change.
• Conversations in the pull request are over, or it is explicit that a reviewer is not blocking the change.
• Changelog entries in the pull request title and/or Proposed changelog entries are accurate, human-readable, and in the imperative mood.
• Proper changelog labels are set so that the changelog can be generated automatically.
• If the change needs additional upgrade steps from users, the upgrade-guide-needed label is set, and there is a Proposed upgrade guidelines section in the pull request title (see example).
• If it would make sense to backport the change to LTS, be a Bug or Improvement, and either the issue or pull request must be labeled as lts-candidate to be considered.

[MarkEWaite]

Several review comments that need to be addressed. Once those are addressed, I'd like to ask GitHub Copilot to review the pull request as well.

[Copilot]

Pull request overview

This pull request introduces URL-level allowlisting for avatar images in Content Security Policy (CSP), enabling plugins to allowlist specific avatar image URLs rather than just entire domains. This provides more granular control over CSP img-src directives while maintaining backward compatibility with the existing domain-based approach.

Key changes:

• Added a new allowUrl() API method for URL-specific CSP allowlisting
• Implemented normalizeUrl() to canonicalize URLs for consistent CSP entries
• Added comprehensive test coverage for URL normalization edge cases

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.

File	Description
core/src/main/java/jenkins/security/csp/AvatarContributor.java	Adds allowUrl() API, normalizeUrl() URL canonicalization logic, and infrastructure to store/apply URL-specific CSP sources alongside existing domain-based sources
core/src/test/java/jenkins/security/csp/AvatarContributorTest.java	Adds comprehensive unit tests for URL normalization covering IPv6, IDN, port handling, fragment stripping, credential rejection, and deduplication

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[somiljain2006]

@MarkEWaite, could you please review the updated code? I’ve addressed the feedback and pushed the latest changes.

[somiljain2006]

@strangelookingnerd, I have added the required test. Can you review it?

[somiljain2006]

@strangelookingnerd @daniel-beck Can you review the PR? I have applied the required fix.