Some of the Jenkins confic is static and can be injected as part of the initial page load e.g. the list of extensions (js-extensions) and config added in the clobal JS scope (as part of https://github.com/jenkinsci/blueocean-plugin/pull/405).
- Add extensions to the global application config object
- Add security related "stuff" done as part of https://github.com/jenkinsci/blueocean-plugin/pull/405
- Update frontend to read extensions from this config object
- Please review how the extension points are cached and calculated