CSS text theme element is not CSP compliant

jenkinsci / simple-theme-plugin

A simple theme plugin for Jenkins

https://plugins.jenkins.io/simple-theme-plugin

MIT License

56 stars 46 forks source link

CSS text theme element is not CSP compliant #216

Open mawinter69 opened 3 weeks ago

mawinter69 commented 3 weeks ago

What feature do you want to see added?

When you add a CssTextTheme element, this is rendered as an inline style element. This is a violation of common CSP settings. The Element should either be deprecated or changed in a way so that it generates an url from were the css is loaded e.g. via an UnprotectedRootAction

Upstream changes

No response

Are you interested in contributing this feature?

No response

TobiX commented 2 weeks ago

Hmm. Are such strict CSPs common? I commonly saw "safe" policies using "unsafe-inline" for styles. Even https://csp-evaluator.withgoogle.com/ does not complain about "unsafe-inline" for styles.

(Nevertheless, I do agree it would be better to change the plugin to not need such exceptions...)