You are viewing a plain text version of this content. The canonical link for it is here.

Posted to infrastructure-issues@apache.org by "Uwe Schindler (JIRA)" <ji...@apache.org> on 2016/04/26 01:19:13 UTC

[jira] [Created] (INFRA-11746) Change Jenkins Content Security Policy

Uwe Schindler created INFRA-11746:
-------------------------------------

             Summary: Change Jenkins Content Security Policy
                 Key: INFRA-11746
                 URL: https://issues.apache.org/jira/browse/INFRA-11746
             Project: Infrastructure
          Issue Type: Improvement
          Components: Jenkins
            Reporter: Uwe Schindler


Jenkins changed the default Content Security Policy when delivering the web pages to no longer allow foreign domains in frames. Unfortunately this prevents Javadocs or similar documentation from displaying correctly.

The contents of stuff is under full control by the commiters of the projects, there is no security risk to disable this setting as described here: https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringContentSecurityPolicy-Considerations

We should change this for ASF Jenkins instance to the state of the previous Jenkins LTS release.

Several projects are affected by this:
- Derby
- Lucene

See also mail on builds@ao: <https://mail-archives.apache.org/mod_mbox/www-builds/201604.mbox/%3CCAPbPdOYpULhAhgwSTc4Lvt%3DrJp9dvcNv5e%3D1%2BhS86WRHpZHR-Q%40mail.gmail.com%3E>

The following would restore previous behaviour:

The CSP header sent by Jenkins can be modified by setting the system property hudson.model.DirectoryBrowserSupport.CSP:

If its value is the empty string, e.g. java -Dhudson.model.DirectoryBrowserSupport.CSP= -jar jenkins.war then the header will not be sent at all.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)