You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by Rick Hillegas <ri...@gmail.com> on 2016/04/24 16:34:16 UTC
blank html frames in Jenkins-built documentation
Hi Infrastructure experts,
The Derby project uses Jenkins to build the latest version of our user
documentation. The resulting documents are linked from the Derby website
here: http://db.apache.org/derby/manuals/index.html#latest. Some of the
Jenkins-built documentation is in html format and it uses frames. The
Jenkins machines serve up those web pages as blank frames and my Firefox
browser's error console reports the following:
<consoleOutput>
Content Security Policy: Couldn't process unknown directive 'sandbox'
<unknown>
Content Security Policy: The page's settings blocked the loading of a
resource at
https://builds.apache.org/job/Derby-docs/lastSuccessfulBuild/artifact/trunk/out/ref/toc.html
("default-src 'none'").
</consoleOutput>
The frames seem to have been intercepted in order to frustrate a
possible Cross Frame Scripting attack, as described by the default
Jenkins Content Security Policy:
https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringContentSecurityPolicy-Considerations
The default Jenkins Content Security Policy assumes that Apache
continuous-integration builds are exposed to the two risks listed here:
https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringContentSecurityPolicy-Considerations
. I don't believe that Apache's Jenkins builds suffer from the first
risk ("Are less trusted users allowed to create or modify files in
Jenkins workspaces?"). That is because only trusted Apache committers
can trigger Jenkins builds. Do Apache continuous-integration builds
suffer from the second risk ("Are some slaves not fully trusted?").
The Derby developers have begun discussing this problem at
http://apache-database.10148.n7.nabble.com/alpha-docs-not-being-generated-td145918.html
. I would appreciate your advice about how we can stop html frames from
being intercepted and blanked out when readers link to the Jenkins-built
documentation.
Thanks,
-Rick
Re: blank html frames in Jenkins-built documentation
Posted by Bryan Pendleton <bp...@gmail.com>.
Rick, it looks like maybe this problem has re-occurred? On my browser,
I see:
Refused to frame 'https://builds.apache.org/job/Derby-docs/lastBuild/artifact/trunk/out/ref/toc.html'
because it violates the following Content Security Policy directive: "default-src 'none'".
Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
Can you have a look and tell me what you see?
thanks,
bryan
===========================================================
On 5/7/2016 6:57 AM, Rick Hillegas wrote:
> Thanks, Uwe and Chris. The change described on https://issues.apache.org/jira/browse/INFRA-11746 seems to have fixed the problem. I can now see Derby's Jenkins-generated, frames-based, html-formatted alpha docs.
>
> Thanks,
> -Rick
>
> On 4/25/16 4:19 PM, Uwe Schindler wrote:
>> I opened https://issues.apache.org/jira/browse/INFRA-11746
>>
>> Uwe
>>
>> -----
>> Uwe Schindler
>> H.-H.-Meier-Allee 63, D-28213 Bremen
>> http://www.thetaphi.de
>> eMail: uwe@thetaphi.de
>>
>>> -----Original Message-----
>>> From: Andrew Bayer [mailto:andrew.bayer@gmail.com]
>>> Sent: Sunday, April 24, 2016 8:09 PM
>>> To: builds@apache.org
>>> Cc: Rick Hillegas<ri...@gmail.com>; derby-dev@db.apache.org
>>> Subject: Re: blank html frames in Jenkins-built documentation
>>>
>>> Please open an INFRA JIRA.
>>>
>>> On Sunday, April 24, 2016, Uwe Schindler<us...@apache.org> wrote:
>>>
>>>> Hi,
>>>>
>>>> We have the same problem with our Lucene documentation. Some Lucene
>>>> classes refer to JDK documentation. The links just result in a white page
>>>> and the mentioned security warning in browser logs.
>>>>
>>>> For other Jenkins servers outside ASF the setting to disable this checks
>>>> were added to prevent the javadocs problem.
>>>>
>>>> Unless Java 9 with the new Javadocs style comes, it is impossible to
>>>> display Javadocs of previous versions with the frame security issues.
>>>> Please disable this as described in Jenkins Wiki. Our build servers are
>>>> under full control by infrastructure and comitters. Nobody from the outside
>>>> can inject custom pages loaded in frames.
>>>>
>>>> Uwe
>>>>
>>>> Am 24. April 2016 16:34:16 MESZ, schrieb Rick Hillegas<
>>>> rick.hillegas@gmail.com<javascript:;>>:
>>>>> Hi Infrastructure experts,
>>>>>
>>>>> The Derby project uses Jenkins to build the latest version of our user
>>>>> documentation. The resulting documents are linked from the Derby
>>>>> website
>>>>> here: http://db.apache.org/derby/manuals/index.html#latest. Some of
>>> the
>>>>> Jenkins-built documentation is in html format and it uses frames. The
>>>>> Jenkins machines serve up those web pages as blank frames and my
>>>>> Firefox
>>>>> browser's error console reports the following:
>>>>>
>>>>> <consoleOutput>
>>>>> Content Security Policy: Couldn't process unknown directive 'sandbox'
>>>>> <unknown>
>>>>> Content Security Policy: The page's settings blocked the loading of a
>>>>> resource at
>>>>>
>>>> https://builds.apache.org/job/Derby-
>>> docs/lastSuccessfulBuild/artifact/trunk/out/ref/toc.html
>>>>> ("default-src 'none'").
>>>>> </consoleOutput>
>>>>>
>>>>> The frames seem to have been intercepted in order to frustrate a
>>>>> possible Cross Frame Scripting attack, as described by the default
>>>>> Jenkins Content Security Policy:
>>>>>
>>>> https://wiki.jenkins-
>>> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
>>> ntentSecurityPolicy-Considerations
>>>>> The default Jenkins Content Security Policy assumes that Apache
>>>>> continuous-integration builds are exposed to the two risks listed here:
>>>>>
>>>>>
>>>> https://wiki.jenkins-
>>> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
>>> ntentSecurityPolicy-Considerations
>>>>> . I don't believe that Apache's Jenkins builds suffer from the first
>>>>> risk ("Are less trusted users allowed to create or modify files in
>>>>> Jenkins workspaces?"). That is because only trusted Apache committers
>>>>> can trigger Jenkins builds. Do Apache continuous-integration builds
>>>>> suffer from the second risk ("Are some slaves not fully trusted?").
>>>>>
>>>>> The Derby developers have begun discussing this problem at
>>>>>
>>>> http://apache-database.10148.n7.nabble.com/alpha-docs-not-being-
>>> generated-td145918.html
>>>>> . I would appreciate your advice about how we can stop html frames from
>>>>>
>>>>> being intercepted and blanked out when readers link to the
>>>>> Jenkins-built
>>>>> documentation.
>>>>>
>>>>> Thanks,
>>>>> -Rick
>>
>
Re: blank html frames in Jenkins-built documentation
Posted by Rick Hillegas <ri...@gmail.com>.
Thanks, Uwe and Chris. The change described on
https://issues.apache.org/jira/browse/INFRA-11746 seems to have fixed
the problem. I can now see Derby's Jenkins-generated, frames-based,
html-formatted alpha docs.
Thanks,
-Rick
On 4/25/16 4:19 PM, Uwe Schindler wrote:
> I opened https://issues.apache.org/jira/browse/INFRA-11746
>
> Uwe
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>> -----Original Message-----
>> From: Andrew Bayer [mailto:andrew.bayer@gmail.com]
>> Sent: Sunday, April 24, 2016 8:09 PM
>> To: builds@apache.org
>> Cc: Rick Hillegas<ri...@gmail.com>; derby-dev@db.apache.org
>> Subject: Re: blank html frames in Jenkins-built documentation
>>
>> Please open an INFRA JIRA.
>>
>> On Sunday, April 24, 2016, Uwe Schindler<us...@apache.org> wrote:
>>
>>> Hi,
>>>
>>> We have the same problem with our Lucene documentation. Some Lucene
>>> classes refer to JDK documentation. The links just result in a white page
>>> and the mentioned security warning in browser logs.
>>>
>>> For other Jenkins servers outside ASF the setting to disable this checks
>>> were added to prevent the javadocs problem.
>>>
>>> Unless Java 9 with the new Javadocs style comes, it is impossible to
>>> display Javadocs of previous versions with the frame security issues.
>>> Please disable this as described in Jenkins Wiki. Our build servers are
>>> under full control by infrastructure and comitters. Nobody from the outside
>>> can inject custom pages loaded in frames.
>>>
>>> Uwe
>>>
>>> Am 24. April 2016 16:34:16 MESZ, schrieb Rick Hillegas<
>>> rick.hillegas@gmail.com<javascript:;>>:
>>>> Hi Infrastructure experts,
>>>>
>>>> The Derby project uses Jenkins to build the latest version of our user
>>>> documentation. The resulting documents are linked from the Derby
>>>> website
>>>> here: http://db.apache.org/derby/manuals/index.html#latest. Some of
>> the
>>>> Jenkins-built documentation is in html format and it uses frames. The
>>>> Jenkins machines serve up those web pages as blank frames and my
>>>> Firefox
>>>> browser's error console reports the following:
>>>>
>>>> <consoleOutput>
>>>> Content Security Policy: Couldn't process unknown directive 'sandbox'
>>>> <unknown>
>>>> Content Security Policy: The page's settings blocked the loading of a
>>>> resource at
>>>>
>>> https://builds.apache.org/job/Derby-
>> docs/lastSuccessfulBuild/artifact/trunk/out/ref/toc.html
>>>> ("default-src 'none'").
>>>> </consoleOutput>
>>>>
>>>> The frames seem to have been intercepted in order to frustrate a
>>>> possible Cross Frame Scripting attack, as described by the default
>>>> Jenkins Content Security Policy:
>>>>
>>> https://wiki.jenkins-
>> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
>> ntentSecurityPolicy-Considerations
>>>> The default Jenkins Content Security Policy assumes that Apache
>>>> continuous-integration builds are exposed to the two risks listed here:
>>>>
>>>>
>>> https://wiki.jenkins-
>> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
>> ntentSecurityPolicy-Considerations
>>>> . I don't believe that Apache's Jenkins builds suffer from the first
>>>> risk ("Are less trusted users allowed to create or modify files in
>>>> Jenkins workspaces?"). That is because only trusted Apache committers
>>>> can trigger Jenkins builds. Do Apache continuous-integration builds
>>>> suffer from the second risk ("Are some slaves not fully trusted?").
>>>>
>>>> The Derby developers have begun discussing this problem at
>>>>
>>> http://apache-database.10148.n7.nabble.com/alpha-docs-not-being-
>> generated-td145918.html
>>>> . I would appreciate your advice about how we can stop html frames from
>>>>
>>>> being intercepted and blanked out when readers link to the
>>>> Jenkins-built
>>>> documentation.
>>>>
>>>> Thanks,
>>>> -Rick
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org
Re: blank html frames in Jenkins-built documentation
Posted by Rick Hillegas <ri...@gmail.com>.
Thanks, Uwe and Chris. The change described on
https://issues.apache.org/jira/browse/INFRA-11746 seems to have fixed
the problem. I can now see Derby's Jenkins-generated, frames-based,
html-formatted alpha docs.
Thanks,
-Rick
On 4/25/16 4:19 PM, Uwe Schindler wrote:
> I opened https://issues.apache.org/jira/browse/INFRA-11746
>
> Uwe
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>> -----Original Message-----
>> From: Andrew Bayer [mailto:andrew.bayer@gmail.com]
>> Sent: Sunday, April 24, 2016 8:09 PM
>> To: builds@apache.org
>> Cc: Rick Hillegas<ri...@gmail.com>; derby-dev@db.apache.org
>> Subject: Re: blank html frames in Jenkins-built documentation
>>
>> Please open an INFRA JIRA.
>>
>> On Sunday, April 24, 2016, Uwe Schindler<us...@apache.org> wrote:
>>
>>> Hi,
>>>
>>> We have the same problem with our Lucene documentation. Some Lucene
>>> classes refer to JDK documentation. The links just result in a white page
>>> and the mentioned security warning in browser logs.
>>>
>>> For other Jenkins servers outside ASF the setting to disable this checks
>>> were added to prevent the javadocs problem.
>>>
>>> Unless Java 9 with the new Javadocs style comes, it is impossible to
>>> display Javadocs of previous versions with the frame security issues.
>>> Please disable this as described in Jenkins Wiki. Our build servers are
>>> under full control by infrastructure and comitters. Nobody from the outside
>>> can inject custom pages loaded in frames.
>>>
>>> Uwe
>>>
>>> Am 24. April 2016 16:34:16 MESZ, schrieb Rick Hillegas<
>>> rick.hillegas@gmail.com<javascript:;>>:
>>>> Hi Infrastructure experts,
>>>>
>>>> The Derby project uses Jenkins to build the latest version of our user
>>>> documentation. The resulting documents are linked from the Derby
>>>> website
>>>> here: http://db.apache.org/derby/manuals/index.html#latest. Some of
>> the
>>>> Jenkins-built documentation is in html format and it uses frames. The
>>>> Jenkins machines serve up those web pages as blank frames and my
>>>> Firefox
>>>> browser's error console reports the following:
>>>>
>>>> <consoleOutput>
>>>> Content Security Policy: Couldn't process unknown directive 'sandbox'
>>>> <unknown>
>>>> Content Security Policy: The page's settings blocked the loading of a
>>>> resource at
>>>>
>>> https://builds.apache.org/job/Derby-
>> docs/lastSuccessfulBuild/artifact/trunk/out/ref/toc.html
>>>> ("default-src 'none'").
>>>> </consoleOutput>
>>>>
>>>> The frames seem to have been intercepted in order to frustrate a
>>>> possible Cross Frame Scripting attack, as described by the default
>>>> Jenkins Content Security Policy:
>>>>
>>> https://wiki.jenkins-
>> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
>> ntentSecurityPolicy-Considerations
>>>> The default Jenkins Content Security Policy assumes that Apache
>>>> continuous-integration builds are exposed to the two risks listed here:
>>>>
>>>>
>>> https://wiki.jenkins-
>> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
>> ntentSecurityPolicy-Considerations
>>>> . I don't believe that Apache's Jenkins builds suffer from the first
>>>> risk ("Are less trusted users allowed to create or modify files in
>>>> Jenkins workspaces?"). That is because only trusted Apache committers
>>>> can trigger Jenkins builds. Do Apache continuous-integration builds
>>>> suffer from the second risk ("Are some slaves not fully trusted?").
>>>>
>>>> The Derby developers have begun discussing this problem at
>>>>
>>> http://apache-database.10148.n7.nabble.com/alpha-docs-not-being-
>> generated-td145918.html
>>>> . I would appreciate your advice about how we can stop html frames from
>>>>
>>>> being intercepted and blanked out when readers link to the
>>>> Jenkins-built
>>>> documentation.
>>>>
>>>> Thanks,
>>>> -Rick
>
Re: blank html frames in Jenkins-built documentation
Posted by Rick Hillegas <ri...@gmail.com>.
Thanks, Uwe and Chris. The change described on
https://issues.apache.org/jira/browse/INFRA-11746 seems to have fixed
the problem. I can now see Derby's Jenkins-generated, frames-based,
html-formatted alpha docs.
Thanks,
-Rick
On 4/25/16 4:19 PM, Uwe Schindler wrote:
> I opened https://issues.apache.org/jira/browse/INFRA-11746
>
> Uwe
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>> -----Original Message-----
>> From: Andrew Bayer [mailto:andrew.bayer@gmail.com]
>> Sent: Sunday, April 24, 2016 8:09 PM
>> To: builds@apache.org
>> Cc: Rick Hillegas<ri...@gmail.com>; derby-dev@db.apache.org
>> Subject: Re: blank html frames in Jenkins-built documentation
>>
>> Please open an INFRA JIRA.
>>
>> On Sunday, April 24, 2016, Uwe Schindler<us...@apache.org> wrote:
>>
>>> Hi,
>>>
>>> We have the same problem with our Lucene documentation. Some Lucene
>>> classes refer to JDK documentation. The links just result in a white page
>>> and the mentioned security warning in browser logs.
>>>
>>> For other Jenkins servers outside ASF the setting to disable this checks
>>> were added to prevent the javadocs problem.
>>>
>>> Unless Java 9 with the new Javadocs style comes, it is impossible to
>>> display Javadocs of previous versions with the frame security issues.
>>> Please disable this as described in Jenkins Wiki. Our build servers are
>>> under full control by infrastructure and comitters. Nobody from the outside
>>> can inject custom pages loaded in frames.
>>>
>>> Uwe
>>>
>>> Am 24. April 2016 16:34:16 MESZ, schrieb Rick Hillegas<
>>> rick.hillegas@gmail.com<javascript:;>>:
>>>> Hi Infrastructure experts,
>>>>
>>>> The Derby project uses Jenkins to build the latest version of our user
>>>> documentation. The resulting documents are linked from the Derby
>>>> website
>>>> here: http://db.apache.org/derby/manuals/index.html#latest. Some of
>> the
>>>> Jenkins-built documentation is in html format and it uses frames. The
>>>> Jenkins machines serve up those web pages as blank frames and my
>>>> Firefox
>>>> browser's error console reports the following:
>>>>
>>>> <consoleOutput>
>>>> Content Security Policy: Couldn't process unknown directive 'sandbox'
>>>> <unknown>
>>>> Content Security Policy: The page's settings blocked the loading of a
>>>> resource at
>>>>
>>> https://builds.apache.org/job/Derby-
>> docs/lastSuccessfulBuild/artifact/trunk/out/ref/toc.html
>>>> ("default-src 'none'").
>>>> </consoleOutput>
>>>>
>>>> The frames seem to have been intercepted in order to frustrate a
>>>> possible Cross Frame Scripting attack, as described by the default
>>>> Jenkins Content Security Policy:
>>>>
>>> https://wiki.jenkins-
>> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
>> ntentSecurityPolicy-Considerations
>>>> The default Jenkins Content Security Policy assumes that Apache
>>>> continuous-integration builds are exposed to the two risks listed here:
>>>>
>>>>
>>> https://wiki.jenkins-
>> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
>> ntentSecurityPolicy-Considerations
>>>> . I don't believe that Apache's Jenkins builds suffer from the first
>>>> risk ("Are less trusted users allowed to create or modify files in
>>>> Jenkins workspaces?"). That is because only trusted Apache committers
>>>> can trigger Jenkins builds. Do Apache continuous-integration builds
>>>> suffer from the second risk ("Are some slaves not fully trusted?").
>>>>
>>>> The Derby developers have begun discussing this problem at
>>>>
>>> http://apache-database.10148.n7.nabble.com/alpha-docs-not-being-
>> generated-td145918.html
>>>> . I would appreciate your advice about how we can stop html frames from
>>>>
>>>> being intercepted and blanked out when readers link to the
>>>> Jenkins-built
>>>> documentation.
>>>>
>>>> Thanks,
>>>> -Rick
>
RE: blank html frames in Jenkins-built documentation
Posted by Uwe Schindler <uw...@thetaphi.de>.
I opened https://issues.apache.org/jira/browse/INFRA-11746
Uwe
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de
> -----Original Message-----
> From: Andrew Bayer [mailto:andrew.bayer@gmail.com]
> Sent: Sunday, April 24, 2016 8:09 PM
> To: builds@apache.org
> Cc: Rick Hillegas <ri...@gmail.com>; derby-dev@db.apache.org
> Subject: Re: blank html frames in Jenkins-built documentation
>
> Please open an INFRA JIRA.
>
> On Sunday, April 24, 2016, Uwe Schindler <us...@apache.org> wrote:
>
> > Hi,
> >
> > We have the same problem with our Lucene documentation. Some Lucene
> > classes refer to JDK documentation. The links just result in a white page
> > and the mentioned security warning in browser logs.
> >
> > For other Jenkins servers outside ASF the setting to disable this checks
> > were added to prevent the javadocs problem.
> >
> > Unless Java 9 with the new Javadocs style comes, it is impossible to
> > display Javadocs of previous versions with the frame security issues.
> > Please disable this as described in Jenkins Wiki. Our build servers are
> > under full control by infrastructure and comitters. Nobody from the outside
> > can inject custom pages loaded in frames.
> >
> > Uwe
> >
> > Am 24. April 2016 16:34:16 MESZ, schrieb Rick Hillegas <
> > rick.hillegas@gmail.com <javascript:;>>:
> > >Hi Infrastructure experts,
> > >
> > >The Derby project uses Jenkins to build the latest version of our user
> > >documentation. The resulting documents are linked from the Derby
> > >website
> > >here: http://db.apache.org/derby/manuals/index.html#latest. Some of
> the
> > >
> > >Jenkins-built documentation is in html format and it uses frames. The
> > >Jenkins machines serve up those web pages as blank frames and my
> > >Firefox
> > >browser's error console reports the following:
> > >
> > ><consoleOutput>
> > >Content Security Policy: Couldn't process unknown directive 'sandbox'
> > ><unknown>
> > >Content Security Policy: The page's settings blocked the loading of a
> > >resource at
> > >
> > https://builds.apache.org/job/Derby-
> docs/lastSuccessfulBuild/artifact/trunk/out/ref/toc.html
> > >("default-src 'none'").
> > ></consoleOutput>
> > >
> > >The frames seem to have been intercepted in order to frustrate a
> > >possible Cross Frame Scripting attack, as described by the default
> > >Jenkins Content Security Policy:
> > >
> > https://wiki.jenkins-
> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
> ntentSecurityPolicy-Considerations
> > >
> > >The default Jenkins Content Security Policy assumes that Apache
> > >continuous-integration builds are exposed to the two risks listed here:
> > >
> > >
> > https://wiki.jenkins-
> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
> ntentSecurityPolicy-Considerations
> > >
> > >. I don't believe that Apache's Jenkins builds suffer from the first
> > >risk ("Are less trusted users allowed to create or modify files in
> > >Jenkins workspaces?"). That is because only trusted Apache committers
> > >can trigger Jenkins builds. Do Apache continuous-integration builds
> > >suffer from the second risk ("Are some slaves not fully trusted?").
> > >
> > >The Derby developers have begun discussing this problem at
> > >
> > http://apache-database.10148.n7.nabble.com/alpha-docs-not-being-
> generated-td145918.html
> > >
> > >. I would appreciate your advice about how we can stop html frames from
> > >
> > >being intercepted and blanked out when readers link to the
> > >Jenkins-built
> > >documentation.
> > >
> > >Thanks,
> > >-Rick
> >
RE: blank html frames in Jenkins-built documentation
Posted by Uwe Schindler <uw...@thetaphi.de>.
I opened https://issues.apache.org/jira/browse/INFRA-11746
Uwe
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de
> -----Original Message-----
> From: Andrew Bayer [mailto:andrew.bayer@gmail.com]
> Sent: Sunday, April 24, 2016 8:09 PM
> To: builds@apache.org
> Cc: Rick Hillegas <ri...@gmail.com>; derby-dev@db.apache.org
> Subject: Re: blank html frames in Jenkins-built documentation
>
> Please open an INFRA JIRA.
>
> On Sunday, April 24, 2016, Uwe Schindler <us...@apache.org> wrote:
>
> > Hi,
> >
> > We have the same problem with our Lucene documentation. Some Lucene
> > classes refer to JDK documentation. The links just result in a white page
> > and the mentioned security warning in browser logs.
> >
> > For other Jenkins servers outside ASF the setting to disable this checks
> > were added to prevent the javadocs problem.
> >
> > Unless Java 9 with the new Javadocs style comes, it is impossible to
> > display Javadocs of previous versions with the frame security issues.
> > Please disable this as described in Jenkins Wiki. Our build servers are
> > under full control by infrastructure and comitters. Nobody from the outside
> > can inject custom pages loaded in frames.
> >
> > Uwe
> >
> > Am 24. April 2016 16:34:16 MESZ, schrieb Rick Hillegas <
> > rick.hillegas@gmail.com <javascript:;>>:
> > >Hi Infrastructure experts,
> > >
> > >The Derby project uses Jenkins to build the latest version of our user
> > >documentation. The resulting documents are linked from the Derby
> > >website
> > >here: http://db.apache.org/derby/manuals/index.html#latest. Some of
> the
> > >
> > >Jenkins-built documentation is in html format and it uses frames. The
> > >Jenkins machines serve up those web pages as blank frames and my
> > >Firefox
> > >browser's error console reports the following:
> > >
> > ><consoleOutput>
> > >Content Security Policy: Couldn't process unknown directive 'sandbox'
> > ><unknown>
> > >Content Security Policy: The page's settings blocked the loading of a
> > >resource at
> > >
> > https://builds.apache.org/job/Derby-
> docs/lastSuccessfulBuild/artifact/trunk/out/ref/toc.html
> > >("default-src 'none'").
> > ></consoleOutput>
> > >
> > >The frames seem to have been intercepted in order to frustrate a
> > >possible Cross Frame Scripting attack, as described by the default
> > >Jenkins Content Security Policy:
> > >
> > https://wiki.jenkins-
> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
> ntentSecurityPolicy-Considerations
> > >
> > >The default Jenkins Content Security Policy assumes that Apache
> > >continuous-integration builds are exposed to the two risks listed here:
> > >
> > >
> > https://wiki.jenkins-
> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
> ntentSecurityPolicy-Considerations
> > >
> > >. I don't believe that Apache's Jenkins builds suffer from the first
> > >risk ("Are less trusted users allowed to create or modify files in
> > >Jenkins workspaces?"). That is because only trusted Apache committers
> > >can trigger Jenkins builds. Do Apache continuous-integration builds
> > >suffer from the second risk ("Are some slaves not fully trusted?").
> > >
> > >The Derby developers have begun discussing this problem at
> > >
> > http://apache-database.10148.n7.nabble.com/alpha-docs-not-being-
> generated-td145918.html
> > >
> > >. I would appreciate your advice about how we can stop html frames from
> > >
> > >being intercepted and blanked out when readers link to the
> > >Jenkins-built
> > >documentation.
> > >
> > >Thanks,
> > >-Rick
> >
RE: blank html frames in Jenkins-built documentation
Posted by Uwe Schindler <uw...@thetaphi.de>.
I opened https://issues.apache.org/jira/browse/INFRA-11746
Uwe
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de
> -----Original Message-----
> From: Andrew Bayer [mailto:andrew.bayer@gmail.com]
> Sent: Sunday, April 24, 2016 8:09 PM
> To: builds@apache.org
> Cc: Rick Hillegas <ri...@gmail.com>; derby-dev@db.apache.org
> Subject: Re: blank html frames in Jenkins-built documentation
>
> Please open an INFRA JIRA.
>
> On Sunday, April 24, 2016, Uwe Schindler <us...@apache.org> wrote:
>
> > Hi,
> >
> > We have the same problem with our Lucene documentation. Some Lucene
> > classes refer to JDK documentation. The links just result in a white page
> > and the mentioned security warning in browser logs.
> >
> > For other Jenkins servers outside ASF the setting to disable this checks
> > were added to prevent the javadocs problem.
> >
> > Unless Java 9 with the new Javadocs style comes, it is impossible to
> > display Javadocs of previous versions with the frame security issues.
> > Please disable this as described in Jenkins Wiki. Our build servers are
> > under full control by infrastructure and comitters. Nobody from the outside
> > can inject custom pages loaded in frames.
> >
> > Uwe
> >
> > Am 24. April 2016 16:34:16 MESZ, schrieb Rick Hillegas <
> > rick.hillegas@gmail.com <javascript:;>>:
> > >Hi Infrastructure experts,
> > >
> > >The Derby project uses Jenkins to build the latest version of our user
> > >documentation. The resulting documents are linked from the Derby
> > >website
> > >here: http://db.apache.org/derby/manuals/index.html#latest. Some of
> the
> > >
> > >Jenkins-built documentation is in html format and it uses frames. The
> > >Jenkins machines serve up those web pages as blank frames and my
> > >Firefox
> > >browser's error console reports the following:
> > >
> > ><consoleOutput>
> > >Content Security Policy: Couldn't process unknown directive 'sandbox'
> > ><unknown>
> > >Content Security Policy: The page's settings blocked the loading of a
> > >resource at
> > >
> > https://builds.apache.org/job/Derby-
> docs/lastSuccessfulBuild/artifact/trunk/out/ref/toc.html
> > >("default-src 'none'").
> > ></consoleOutput>
> > >
> > >The frames seem to have been intercepted in order to frustrate a
> > >possible Cross Frame Scripting attack, as described by the default
> > >Jenkins Content Security Policy:
> > >
> > https://wiki.jenkins-
> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
> ntentSecurityPolicy-Considerations
> > >
> > >The default Jenkins Content Security Policy assumes that Apache
> > >continuous-integration builds are exposed to the two risks listed here:
> > >
> > >
> > https://wiki.jenkins-
> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
> ntentSecurityPolicy-Considerations
> > >
> > >. I don't believe that Apache's Jenkins builds suffer from the first
> > >risk ("Are less trusted users allowed to create or modify files in
> > >Jenkins workspaces?"). That is because only trusted Apache committers
> > >can trigger Jenkins builds. Do Apache continuous-integration builds
> > >suffer from the second risk ("Are some slaves not fully trusted?").
> > >
> > >The Derby developers have begun discussing this problem at
> > >
> > http://apache-database.10148.n7.nabble.com/alpha-docs-not-being-
> generated-td145918.html
> > >
> > >. I would appreciate your advice about how we can stop html frames from
> > >
> > >being intercepted and blanked out when readers link to the
> > >Jenkins-built
> > >documentation.
> > >
> > >Thanks,
> > >-Rick
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org
Re: blank html frames in Jenkins-built documentation
Posted by Andrew Bayer <an...@gmail.com>.
Please open an INFRA JIRA.
On Sunday, April 24, 2016, Uwe Schindler <us...@apache.org> wrote:
> Hi,
>
> We have the same problem with our Lucene documentation. Some Lucene
> classes refer to JDK documentation. The links just result in a white page
> and the mentioned security warning in browser logs.
>
> For other Jenkins servers outside ASF the setting to disable this checks
> were added to prevent the javadocs problem.
>
> Unless Java 9 with the new Javadocs style comes, it is impossible to
> display Javadocs of previous versions with the frame security issues.
> Please disable this as described in Jenkins Wiki. Our build servers are
> under full control by infrastructure and comitters. Nobody from the outside
> can inject custom pages loaded in frames.
>
> Uwe
>
> Am 24. April 2016 16:34:16 MESZ, schrieb Rick Hillegas <
> rick.hillegas@gmail.com <javascript:;>>:
> >Hi Infrastructure experts,
> >
> >The Derby project uses Jenkins to build the latest version of our user
> >documentation. The resulting documents are linked from the Derby
> >website
> >here: http://db.apache.org/derby/manuals/index.html#latest. Some of the
> >
> >Jenkins-built documentation is in html format and it uses frames. The
> >Jenkins machines serve up those web pages as blank frames and my
> >Firefox
> >browser's error console reports the following:
> >
> ><consoleOutput>
> >Content Security Policy: Couldn't process unknown directive 'sandbox'
> ><unknown>
> >Content Security Policy: The page's settings blocked the loading of a
> >resource at
> >
> https://builds.apache.org/job/Derby-docs/lastSuccessfulBuild/artifact/trunk/out/ref/toc.html
> >("default-src 'none'").
> ></consoleOutput>
> >
> >The frames seem to have been intercepted in order to frustrate a
> >possible Cross Frame Scripting attack, as described by the default
> >Jenkins Content Security Policy:
> >
> https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringContentSecurityPolicy-Considerations
> >
> >The default Jenkins Content Security Policy assumes that Apache
> >continuous-integration builds are exposed to the two risks listed here:
> >
> >
> https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringContentSecurityPolicy-Considerations
> >
> >. I don't believe that Apache's Jenkins builds suffer from the first
> >risk ("Are less trusted users allowed to create or modify files in
> >Jenkins workspaces?"). That is because only trusted Apache committers
> >can trigger Jenkins builds. Do Apache continuous-integration builds
> >suffer from the second risk ("Are some slaves not fully trusted?").
> >
> >The Derby developers have begun discussing this problem at
> >
> http://apache-database.10148.n7.nabble.com/alpha-docs-not-being-generated-td145918.html
> >
> >. I would appreciate your advice about how we can stop html frames from
> >
> >being intercepted and blanked out when readers link to the
> >Jenkins-built
> >documentation.
> >
> >Thanks,
> >-Rick
>
Re: blank html frames in Jenkins-built documentation
Posted by Andrew Bayer <an...@gmail.com>.
Please open an INFRA JIRA.
On Sunday, April 24, 2016, Uwe Schindler <us...@apache.org> wrote:
> Hi,
>
> We have the same problem with our Lucene documentation. Some Lucene
> classes refer to JDK documentation. The links just result in a white page
> and the mentioned security warning in browser logs.
>
> For other Jenkins servers outside ASF the setting to disable this checks
> were added to prevent the javadocs problem.
>
> Unless Java 9 with the new Javadocs style comes, it is impossible to
> display Javadocs of previous versions with the frame security issues.
> Please disable this as described in Jenkins Wiki. Our build servers are
> under full control by infrastructure and comitters. Nobody from the outside
> can inject custom pages loaded in frames.
>
> Uwe
>
> Am 24. April 2016 16:34:16 MESZ, schrieb Rick Hillegas <
> rick.hillegas@gmail.com <javascript:;>>:
> >Hi Infrastructure experts,
> >
> >The Derby project uses Jenkins to build the latest version of our user
> >documentation. The resulting documents are linked from the Derby
> >website
> >here: http://db.apache.org/derby/manuals/index.html#latest. Some of the
> >
> >Jenkins-built documentation is in html format and it uses frames. The
> >Jenkins machines serve up those web pages as blank frames and my
> >Firefox
> >browser's error console reports the following:
> >
> ><consoleOutput>
> >Content Security Policy: Couldn't process unknown directive 'sandbox'
> ><unknown>
> >Content Security Policy: The page's settings blocked the loading of a
> >resource at
> >
> https://builds.apache.org/job/Derby-docs/lastSuccessfulBuild/artifact/trunk/out/ref/toc.html
> >("default-src 'none'").
> ></consoleOutput>
> >
> >The frames seem to have been intercepted in order to frustrate a
> >possible Cross Frame Scripting attack, as described by the default
> >Jenkins Content Security Policy:
> >
> https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringContentSecurityPolicy-Considerations
> >
> >The default Jenkins Content Security Policy assumes that Apache
> >continuous-integration builds are exposed to the two risks listed here:
> >
> >
> https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringContentSecurityPolicy-Considerations
> >
> >. I don't believe that Apache's Jenkins builds suffer from the first
> >risk ("Are less trusted users allowed to create or modify files in
> >Jenkins workspaces?"). That is because only trusted Apache committers
> >can trigger Jenkins builds. Do Apache continuous-integration builds
> >suffer from the second risk ("Are some slaves not fully trusted?").
> >
> >The Derby developers have begun discussing this problem at
> >
> http://apache-database.10148.n7.nabble.com/alpha-docs-not-being-generated-td145918.html
> >
> >. I would appreciate your advice about how we can stop html frames from
> >
> >being intercepted and blanked out when readers link to the
> >Jenkins-built
> >documentation.
> >
> >Thanks,
> >-Rick
>
Re: blank html frames in Jenkins-built documentation
Posted by Uwe Schindler <us...@apache.org>.
Hi,
We have the same problem with our Lucene documentation. Some Lucene classes refer to JDK documentation. The links just result in a white page and the mentioned security warning in browser logs.
For other Jenkins servers outside ASF the setting to disable this checks were added to prevent the javadocs problem.
Unless Java 9 with the new Javadocs style comes, it is impossible to display Javadocs of previous versions with the frame security issues. Please disable this as described in Jenkins Wiki. Our build servers are under full control by infrastructure and comitters. Nobody from the outside can inject custom pages loaded in frames.
Uwe
Am 24. April 2016 16:34:16 MESZ, schrieb Rick Hillegas <ri...@gmail.com>:
>Hi Infrastructure experts,
>
>The Derby project uses Jenkins to build the latest version of our user
>documentation. The resulting documents are linked from the Derby
>website
>here: http://db.apache.org/derby/manuals/index.html#latest. Some of the
>
>Jenkins-built documentation is in html format and it uses frames. The
>Jenkins machines serve up those web pages as blank frames and my
>Firefox
>browser's error console reports the following:
>
><consoleOutput>
>Content Security Policy: Couldn't process unknown directive 'sandbox'
><unknown>
>Content Security Policy: The page's settings blocked the loading of a
>resource at
>https://builds.apache.org/job/Derby-docs/lastSuccessfulBuild/artifact/trunk/out/ref/toc.html
>("default-src 'none'").
></consoleOutput>
>
>The frames seem to have been intercepted in order to frustrate a
>possible Cross Frame Scripting attack, as described by the default
>Jenkins Content Security Policy:
>https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringContentSecurityPolicy-Considerations
>
>The default Jenkins Content Security Policy assumes that Apache
>continuous-integration builds are exposed to the two risks listed here:
>
>https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringContentSecurityPolicy-Considerations
>
>. I don't believe that Apache's Jenkins builds suffer from the first
>risk ("Are less trusted users allowed to create or modify files in
>Jenkins workspaces?"). That is because only trusted Apache committers
>can trigger Jenkins builds. Do Apache continuous-integration builds
>suffer from the second risk ("Are some slaves not fully trusted?").
>
>The Derby developers have begun discussing this problem at
>http://apache-database.10148.n7.nabble.com/alpha-docs-not-being-generated-td145918.html
>
>. I would appreciate your advice about how we can stop html frames from
>
>being intercepted and blanked out when readers link to the
>Jenkins-built
>documentation.
>
>Thanks,
>-Rick
Re: blank html frames in Jenkins-built documentation
Posted by Uwe Schindler <us...@apache.org>.
Hi,
We have the same problem with our Lucene documentation. Some Lucene classes refer to JDK documentation. The links just result in a white page and the mentioned security warning in browser logs.
For other Jenkins servers outside ASF the setting to disable this checks were added to prevent the javadocs problem.
Unless Java 9 with the new Javadocs style comes, it is impossible to display Javadocs of previous versions with the frame security issues. Please disable this as described in Jenkins Wiki. Our build servers are under full control by infrastructure and comitters. Nobody from the outside can inject custom pages loaded in frames.
Uwe
Am 24. April 2016 16:34:16 MESZ, schrieb Rick Hillegas <ri...@gmail.com>:
>Hi Infrastructure experts,
>
>The Derby project uses Jenkins to build the latest version of our user
>documentation. The resulting documents are linked from the Derby
>website
>here: http://db.apache.org/derby/manuals/index.html#latest. Some of the
>
>Jenkins-built documentation is in html format and it uses frames. The
>Jenkins machines serve up those web pages as blank frames and my
>Firefox
>browser's error console reports the following:
>
><consoleOutput>
>Content Security Policy: Couldn't process unknown directive 'sandbox'
><unknown>
>Content Security Policy: The page's settings blocked the loading of a
>resource at
>https://builds.apache.org/job/Derby-docs/lastSuccessfulBuild/artifact/trunk/out/ref/toc.html
>("default-src 'none'").
></consoleOutput>
>
>The frames seem to have been intercepted in order to frustrate a
>possible Cross Frame Scripting attack, as described by the default
>Jenkins Content Security Policy:
>https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringContentSecurityPolicy-Considerations
>
>The default Jenkins Content Security Policy assumes that Apache
>continuous-integration builds are exposed to the two risks listed here:
>
>https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringContentSecurityPolicy-Considerations
>
>. I don't believe that Apache's Jenkins builds suffer from the first
>risk ("Are less trusted users allowed to create or modify files in
>Jenkins workspaces?"). That is because only trusted Apache committers
>can trigger Jenkins builds. Do Apache continuous-integration builds
>suffer from the second risk ("Are some slaves not fully trusted?").
>
>The Derby developers have begun discussing this problem at
>http://apache-database.10148.n7.nabble.com/alpha-docs-not-being-generated-td145918.html
>
>. I would appreciate your advice about how we can stop html frames from
>
>being intercepted and blanked out when readers link to the
>Jenkins-built
>documentation.
>
>Thanks,
>-Rick