You are viewing a plain text version of this content. The canonical link for it is here.

Posted to builds@apache.org by Sebastian <sn...@apache.org> on 2020/08/16 10:24:55 UTC

X-Content-Security-Policy on ci-buils.a.o

Hi,

when the accessing Javadocs on the new ci-builds.apache.org the server sends

  Content-Security-Policy: sandbox; default-src 'none'; img-src 'self'; style-src 'self';

which causes that the "nightly" docs aren't shown properly in the browser, eg.
- frames are empty
   https://ci-builds.apache.org/job/Nutch/job/Nutch-trunk/javadoc/index.html?overview-tree.html
- or XSLT is not applied
  https://ci-builds.apache.org/job/Nutch/job/Nutch-trunk/javadoc/resources/nutch-default.xml

The old builds.apache.org didn't send a X-Content-Security-Policy header and
the docs are shown appropriately:
  https://builds.apache.org/job/nutch-trunk/javadoc/index.html?overview-tree.html
  https://builds.apache.org/job/nutch-trunk/javadoc/resources/nutch-default.xml

Is there are reason for the stricter security policy?
If yes, what is the preferred way to publish documentation of nightly builds?

Thanks,
Sebastian

Re: X-Content-Security-Policy on ci-buils.a.o

Posted by Matt Sicker <bo...@gmail.com>.

There’s a new resource subdomain setting for this to avoid allowing cross
site scripting exploits from published stuff on the Jenkins domain. It’s an
admin setting, though.

On Sun, Aug 16, 2020 at 05:25 Sebastian <sn...@apache.org> wrote:

> Hi,
>
>
>
> when the accessing Javadocs on the new ci-builds.apache.org the server
> sends
>
>
>
>   Content-Security-Policy: sandbox; default-src 'none'; img-src 'self';
> style-src 'self';
>
>
>
> which causes that the "nightly" docs aren't shown properly in the browser,
> eg.
>
> - frames are empty
>
>
> https://ci-builds.apache.org/job/Nutch/job/Nutch-trunk/javadoc/index.html?overview-tree.html
>
> - or XSLT is not applied
>
>
> https://ci-builds.apache.org/job/Nutch/job/Nutch-trunk/javadoc/resources/nutch-default.xml
>
>
>
> The old builds.apache.org didn't send a X-Content-Security-Policy header
> and
>
> the docs are shown appropriately:
>
>
> https://builds.apache.org/job/nutch-trunk/javadoc/index.html?overview-tree.html
>
>
> https://builds.apache.org/job/nutch-trunk/javadoc/resources/nutch-default.xml
>
>
>
> Is there are reason for the stricter security policy?
>
> If yes, what is the preferred way to publish documentation of nightly
> builds?
>
>
>
> Thanks,
>
> Sebastian
>
> --
Matt Sicker <bo...@gmail.com>