Package jenkins.security.csp

Class AvatarContributor

java.lang.Object

jenkins.security.csp.AvatarContributor

All Implemented Interfaces:

ExtensionPoint, Contributor

@Restricted(org.kohsuke.accmod.restrictions.Beta.class)
@Extension
public class AvatarContributor
extends Object
implements Contributor

This is a general extension for use by implementations of UserAvatarResolver and AvatarMetadataAction from scm-api plugin, or other "avatar-like" use cases. It simplifies allowlisting safe sources of avatars by offering simple APIs that take a complete URL.

Nested Class Summary

Nested classes/interfaces inherited from interface hudson.ExtensionPoint

ExtensionPoint.LegacyInstancesAreScopedToHudson

Constructor Summary

Constructors

Constructor	Description
AvatarContributor()

Method Summary

Modifier and Type	Method	Description
static void	allow(String url)	Request addition of the domain of the specified URL to the allowed set of avatar image domains.
void	apply(CspBuilder cspBuilder)	Contribute to the builder's rules by adding to or removing from the provided CspBuilder.
static String	extractDomainFromUrl(String url)	Utility method extracting the domain specification for CSP fetch directives from a specified URL.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

AvatarContributor

public AvatarContributor()

Method Details

apply

public void apply(CspBuilder cspBuilder)

Description copied from interface: Contributor

Contribute to the builder's rules by adding to or removing from the provided CspBuilder.

Specified by:

apply in interface Contributor

Parameters:

cspBuilder - the builder

allow

public static void allow(@CheckForNull
 String url)

Request addition of the domain of the specified URL to the allowed set of avatar image domains.

This is a utility method intended to accept any avatar URL from an undetermined, but trusted (for images) domain. If the specified URL is not null, has a host, and http or https scheme, its domain will be added to the set of allowed domains.

Important: Only implementations restricting specification of avatar URLs to at least somewhat privileged users to should invoke this method, for example users with at least Item.CONFIGURE permission. Note that this guidance may change over time and require implementation changes.

Parameters:

url - The avatar image URL whose domain should be added to the list of allowed domains

extractDomainFromUrl

@CheckForNull
public static String extractDomainFromUrl(@CheckForNull
 String url)

Utility method extracting the domain specification for CSP fetch directives from a specified URL. If the specified URL is not null, has a host, and http or https scheme, this method will return its domain. This can be used by implementations of Contributor for which allow(String) is not flexible enough (e.g., requesting administrator approval for a domain).

Parameters:

url - the URL

Returns:

the domain from the specified URL, or null if the URL does not satisfy the stated conditions