stapler:bind is creating inline javascript

[mawinter69]

What feature do you want to see added?

using <st:bind var="myproxy" value="${it}"/>result in the following code getting injected in the rendered page:

<script>
myproxy = makeStaplerProxy(...)
</script>

This is a problem when Content Security Policy should be enabled.
Maybe one can just create some json data

<script class="stapler-javascript-proxy" type="application/json">
  {"myproxy": {"url": "/jenkins/$stapler/bound/dcabcdd4-f80d-4b46-b5f7-db0ce94ab8ff",
               "crumb": "abc234d97ed766f5...",
               "methods": ["myfirstmethod", "mysecondmethod"] 
               }
  }
</script>

The bind.js could then find the data and do the assignment to the variable.

Upstream changes

No response

[timja]

There's a PR here for this #385 from @daniel-beck

[MarkEWaite]

Merged and included in Stapler release 1839.ved17667b_a_eb_5

[daniel-beck]

Depends on jenkinsci/jenkins#6865 to work though. Reviews still welcome!