Contributed by Mark Waite, CloudBees | Originally posted on jenkins.io
Alpha-Omega has provided a grant for three months of full-time work to improve the Jenkins implementation of Content Security Policy. The improvements will be implemented in October, November, and December of 2024. Shlomo Dahan is implementing the improvements with technical guidance from Basil Crow and project management support from Bruno Verachten.
Alpha-Omega is an associated project of the OpenSSF, established in February 2022, funded by Microsoft, Google, and Amazon. The mission of Alpha-Omega is to protect society by catalyzing sustainable security improvements to the most critical open source software projects and ecosystems. Alpha-Omega has funded security improvements in major open source projects like the Linux Kernel, Rust Foundation, FreeBSD, Node.js, Ruby Central, and the Eclipse Foundation. We are sincerely grateful for this grant to the Jenkins project.
What is Content Security Policy?
From content-security-policy.com:
Content-Security-Policy is the name of a HTTP response header that modern browsers use to enhance the security of the document (or web page). The Content-Security-Policy header allows you to restrict which resources (such as JavaScript, CSS, Images, etc.) can be loaded and the URLs that they can be loaded from.
Using Content-Security-Policy (CSP), injection attacks like cross-site scripting can be prevented.
Why a grant for Jenkins?
Jenkins is the leading open source automation server. It provides critical capabilities to organizations around the world as they create, test, and deploy software. Improving the security of the Jenkins project aligns very well with the Alpha-Omega mission for “sustainable security improvements to the most critical open source software projects”.
We hope that the successful completion of this 3-month project will result in additional funding and an expanded project in 2025.
Who is working on the project?
- Basil Crow is the technical lead of the project. He’ll provide guidance, mentoring, and assistance for the implementation.
- Bruno Verachten is the project manager. He’ll provide regular progress reports to Alpha-Omega.
- Shlomo Dahan is the developer who will implement the improvements.