You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-issues@apache.org by "Uwe Schindler (JIRA)" <ji...@apache.org> on 2016/04/26 01:19:13 UTC
[jira] [Created] (INFRA-11746) Change Jenkins Content Security
Policy
Uwe Schindler created INFRA-11746:
-------------------------------------
Summary: Change Jenkins Content Security Policy
Key: INFRA-11746
URL: https://issues.apache.org/jira/browse/INFRA-11746
Project: Infrastructure
Issue Type: Improvement
Components: Jenkins
Reporter: Uwe Schindler
Jenkins changed the default Content Security Policy when delivering the web pages to no longer allow foreign domains in frames. Unfortunately this prevents Javadocs or similar documentation from displaying correctly.
The contents of stuff is under full control by the commiters of the projects, there is no security risk to disable this setting as described here: https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringContentSecurityPolicy-Considerations
We should change this for ASF Jenkins instance to the state of the previous Jenkins LTS release.
Several projects are affected by this:
- Derby
- Lucene
See also mail on builds@ao: <https://mail-archives.apache.org/mod_mbox/www-builds/201604.mbox/%3CCAPbPdOYpULhAhgwSTc4Lvt%3DrJp9dvcNv5e%3D1%2BhS86WRHpZHR-Q%40mail.gmail.com%3E>
The following would restore previous behaviour:
The CSP header sent by Jenkins can be modified by setting the system property hudson.model.DirectoryBrowserSupport.CSP:
If its value is the empty string, e.g. java -Dhudson.model.DirectoryBrowserSupport.CSP= -jar jenkins.war then the header will not be sent at all.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)