Prevent a occasional JavaScript safety warning message when running in

HTTPS

changelog.html

@@ -61,6 +61,8 @@ Upcoming changes</a>
   <li class=bug>
     Defined a proper way to interrupt the build and mark it as a failure.
     (<a href="http://issues.jenkins-ci.org/browse/JENKINS-9203">issue 9203</a>)
+  <li class=rfe>
+    Prevent a occasional JavaScript safety warning message when running in HTTPS
   <li class=rfe>
     About page should not autorefresh
     (<a href="http://issues.jenkins-ci.org/browse/JENKINS-9967">issue 9967</a>)

core/src/main/java/hudson/model/DownloadService.java

@@ -73,7 +73,7 @@ public class DownloadService extends PageDecorator {
                        .append("  downloadService.download(")
                        .append(QuotedStringTokenizer.quote(d.getId()))
                        .append(',')
-                       .append(QuotedStringTokenizer.quote(d.getUrl()))
+                       .append(QuotedStringTokenizer.quote(mapHttps(d.getUrl())))
                        .append(',')
                        .append("{version:"+QuotedStringTokenizer.quote(Jenkins.VERSION)+'}')
                        .append(',')
@@ -89,6 +89,22 @@ public class DownloadService extends PageDecorator {
         return buf.toString();
     }
 
+    private String mapHttps(String url) {
+        /*
+            HACKISH:
+
+            Loading scripts in HTTP from HTTPS pages cause browsers to issue a warning dialog.
+            The elegant way to solve the problem is to always load update center from HTTPS,
+            but our backend mirroring scheme isn't ready for that. So this hack serves regular
+            traffic in HTTP server, and only use HTTPS update center for Jenkins in HTTPS.
+
+            We'll monitor the traffic to see if we can sustain this added traffic.
+         */
+        if (url.startsWith("http://updates.jenkins-ci.org/") && Jenkins.getInstance().isRootUrlSecure())
+            return "https"+url.substring(4);
+        return url;
+    }
+
     /**
      * Gets {@link Downloadable} by its ID.
      * Used to bind them to URL.
@@ -119,9 +135,9 @@ public class DownloadService extends PageDecorator {
         /**
          *
          * @param url
-         *      URL relative to {@link UpdateCenter#getUrl()}.
+         *      URL relative to {@link UpdateCenter#getDefaultBaseUrl()}.
          *      So if this string is "foo.json", the ultimate URL will be
-         *      something like "https://hudson.dev.java.net/foo.json"
+         *      something like "http://updates.jenkins-ci.org/updates/foo.json"
          *
          *      For security and privacy reasons, we don't allow the retrieval
          *      from random locations.

core/src/main/java/hudson/model/UpdateSite.java

@@ -37,6 +37,7 @@ import static hudson.util.TimeUnit2.DAYS;
 import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.Stapler;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
 import org.jvnet.hudson.crypto.CertificateUtil;
@@ -337,6 +338,28 @@ public class UpdateSite {
         return url;
     }
 
+    /**
+     * Where to actually download the update center?
+     *
+     * @deprecated
+     *      Exposed only for UI.
+     */
+    public String getDownloadUrl() {
+        /*
+            HACKISH:
+
+            Loading scripts in HTTP from HTTPS pages cause browsers to issue a warning dialog.
+            The elegant way to solve the problem is to always load update center from HTTPS,
+            but our backend mirroring scheme isn't ready for that. So this hack serves regular
+            traffic in HTTP server, and only use HTTPS update center for Jenkins in HTTPS.
+
+            We'll monitor the traffic to see if we can sustain this added traffic.
+         */
+        if (url.equals("http://updates.jenkins-ci.org/update-center.json") && Jenkins.getInstance().isRootUrlSecure())
+            return "https"+url.substring(4);
+        return url;
+    }
+
     /**
      * Is this the legacy default update center site?
      */

core/src/main/java/jenkins/model/Jenkins.java

@@ -1622,8 +1622,8 @@ public class Jenkins extends AbstractCIBase implements ModifiableItemGroup<TopLe
     }
 
     /**
-     * Gets the absolute URL of Hudson,
-     * such as "http://localhost/hudson/".
+     * Gets the absolute URL of Jenkins,
+     * such as "http://localhost/jenkins/".
      *
      * <p>
      * This method first tries to use the manually configured value, then
@@ -1650,6 +1650,17 @@ public class Jenkins extends AbstractCIBase implements ModifiableItemGroup<TopLe
         return null;
     }
 
+    /**
+     * Is Jenkins running in HTTPS?
+     *
+     * Note that we can't really trust {@link StaplerRequest#isSecure()} because HTTPS might be terminated
+     * in the reverse proxy.
+     */
+    public boolean isRootUrlSecure() {
+        String url = getRootUrl();
+        return url!=null && url.startsWith("https");
+    }
+
     /**
      * Gets the absolute URL of Hudson top page, such as "http://localhost/hudson/".
      *

core/src/main/resources/hudson/model/UpdateCenter/PageDecoratorImpl/footer.jelly

@@ -37,7 +37,7 @@ THE SOFTWARE.
         Behaviour.addLoadEvent(function() {
             downloadService.download(
                 "${site.id}",
-                "${site.url}",
+                "${site.downloadUrl}",
                 {version:"${h.version}"},
                 "${rootURL}/updateCenter/byId/${site.id}/postBack",
                 null);

core/src/main/resources/hudson/model/UsageStatistics/footer.jelly

@@ -34,7 +34,7 @@ THE SOFTWARE.
   <j:if test="${it.due}">
     <script>
       Behaviour.addLoadEvent(function() {
-        loadScript("http://usage.jenkins-ci.org/usage-stats.js?${it.statData}");
+        loadScript("${app.isRootUrlSecure()?'https':'http'}://usage.jenkins-ci.org/usage-stats.js?${it.statData}");
       });
     </script>
   </j:if>