You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by Rick Hillegas <ri...@gmail.com> on 2016/05/07 13:57:50 UTC
Re: blank html frames in Jenkins-built documentation
Thanks, Uwe and Chris. The change described on
https://issues.apache.org/jira/browse/INFRA-11746 seems to have fixed
the problem. I can now see Derby's Jenkins-generated, frames-based,
html-formatted alpha docs.
Thanks,
-Rick
On 4/25/16 4:19 PM, Uwe Schindler wrote:
> I opened https://issues.apache.org/jira/browse/INFRA-11746
>
> Uwe
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>> -----Original Message-----
>> From: Andrew Bayer [mailto:andrew.bayer@gmail.com]
>> Sent: Sunday, April 24, 2016 8:09 PM
>> To: builds@apache.org
>> Cc: Rick Hillegas<ri...@gmail.com>; derby-dev@db.apache.org
>> Subject: Re: blank html frames in Jenkins-built documentation
>>
>> Please open an INFRA JIRA.
>>
>> On Sunday, April 24, 2016, Uwe Schindler<us...@apache.org> wrote:
>>
>>> Hi,
>>>
>>> We have the same problem with our Lucene documentation. Some Lucene
>>> classes refer to JDK documentation. The links just result in a white page
>>> and the mentioned security warning in browser logs.
>>>
>>> For other Jenkins servers outside ASF the setting to disable this checks
>>> were added to prevent the javadocs problem.
>>>
>>> Unless Java 9 with the new Javadocs style comes, it is impossible to
>>> display Javadocs of previous versions with the frame security issues.
>>> Please disable this as described in Jenkins Wiki. Our build servers are
>>> under full control by infrastructure and comitters. Nobody from the outside
>>> can inject custom pages loaded in frames.
>>>
>>> Uwe
>>>
>>> Am 24. April 2016 16:34:16 MESZ, schrieb Rick Hillegas<
>>> rick.hillegas@gmail.com<javascript:;>>:
>>>> Hi Infrastructure experts,
>>>>
>>>> The Derby project uses Jenkins to build the latest version of our user
>>>> documentation. The resulting documents are linked from the Derby
>>>> website
>>>> here: http://db.apache.org/derby/manuals/index.html#latest. Some of
>> the
>>>> Jenkins-built documentation is in html format and it uses frames. The
>>>> Jenkins machines serve up those web pages as blank frames and my
>>>> Firefox
>>>> browser's error console reports the following:
>>>>
>>>> <consoleOutput>
>>>> Content Security Policy: Couldn't process unknown directive 'sandbox'
>>>> <unknown>
>>>> Content Security Policy: The page's settings blocked the loading of a
>>>> resource at
>>>>
>>> https://builds.apache.org/job/Derby-
>> docs/lastSuccessfulBuild/artifact/trunk/out/ref/toc.html
>>>> ("default-src 'none'").
>>>> </consoleOutput>
>>>>
>>>> The frames seem to have been intercepted in order to frustrate a
>>>> possible Cross Frame Scripting attack, as described by the default
>>>> Jenkins Content Security Policy:
>>>>
>>> https://wiki.jenkins-
>> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
>> ntentSecurityPolicy-Considerations
>>>> The default Jenkins Content Security Policy assumes that Apache
>>>> continuous-integration builds are exposed to the two risks listed here:
>>>>
>>>>
>>> https://wiki.jenkins-
>> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
>> ntentSecurityPolicy-Considerations
>>>> . I don't believe that Apache's Jenkins builds suffer from the first
>>>> risk ("Are less trusted users allowed to create or modify files in
>>>> Jenkins workspaces?"). That is because only trusted Apache committers
>>>> can trigger Jenkins builds. Do Apache continuous-integration builds
>>>> suffer from the second risk ("Are some slaves not fully trusted?").
>>>>
>>>> The Derby developers have begun discussing this problem at
>>>>
>>> http://apache-database.10148.n7.nabble.com/alpha-docs-not-being-
>> generated-td145918.html
>>>> . I would appreciate your advice about how we can stop html frames from
>>>>
>>>> being intercepted and blanked out when readers link to the
>>>> Jenkins-built
>>>> documentation.
>>>>
>>>> Thanks,
>>>> -Rick
>
Re: blank html frames in Jenkins-built documentation
Posted by Bryan Pendleton <bp...@gmail.com>.
Rick, it looks like maybe this problem has re-occurred? On my browser,
I see:
Refused to frame 'https://builds.apache.org/job/Derby-docs/lastBuild/artifact/trunk/out/ref/toc.html'
because it violates the following Content Security Policy directive: "default-src 'none'".
Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
Can you have a look and tell me what you see?
thanks,
bryan
===========================================================
On 5/7/2016 6:57 AM, Rick Hillegas wrote:
> Thanks, Uwe and Chris. The change described on https://issues.apache.org/jira/browse/INFRA-11746 seems to have fixed the problem. I can now see Derby's Jenkins-generated, frames-based, html-formatted alpha docs.
>
> Thanks,
> -Rick
>
> On 4/25/16 4:19 PM, Uwe Schindler wrote:
>> I opened https://issues.apache.org/jira/browse/INFRA-11746
>>
>> Uwe
>>
>> -----
>> Uwe Schindler
>> H.-H.-Meier-Allee 63, D-28213 Bremen
>> http://www.thetaphi.de
>> eMail: uwe@thetaphi.de
>>
>>> -----Original Message-----
>>> From: Andrew Bayer [mailto:andrew.bayer@gmail.com]
>>> Sent: Sunday, April 24, 2016 8:09 PM
>>> To: builds@apache.org
>>> Cc: Rick Hillegas<ri...@gmail.com>; derby-dev@db.apache.org
>>> Subject: Re: blank html frames in Jenkins-built documentation
>>>
>>> Please open an INFRA JIRA.
>>>
>>> On Sunday, April 24, 2016, Uwe Schindler<us...@apache.org> wrote:
>>>
>>>> Hi,
>>>>
>>>> We have the same problem with our Lucene documentation. Some Lucene
>>>> classes refer to JDK documentation. The links just result in a white page
>>>> and the mentioned security warning in browser logs.
>>>>
>>>> For other Jenkins servers outside ASF the setting to disable this checks
>>>> were added to prevent the javadocs problem.
>>>>
>>>> Unless Java 9 with the new Javadocs style comes, it is impossible to
>>>> display Javadocs of previous versions with the frame security issues.
>>>> Please disable this as described in Jenkins Wiki. Our build servers are
>>>> under full control by infrastructure and comitters. Nobody from the outside
>>>> can inject custom pages loaded in frames.
>>>>
>>>> Uwe
>>>>
>>>> Am 24. April 2016 16:34:16 MESZ, schrieb Rick Hillegas<
>>>> rick.hillegas@gmail.com<javascript:;>>:
>>>>> Hi Infrastructure experts,
>>>>>
>>>>> The Derby project uses Jenkins to build the latest version of our user
>>>>> documentation. The resulting documents are linked from the Derby
>>>>> website
>>>>> here: http://db.apache.org/derby/manuals/index.html#latest. Some of
>>> the
>>>>> Jenkins-built documentation is in html format and it uses frames. The
>>>>> Jenkins machines serve up those web pages as blank frames and my
>>>>> Firefox
>>>>> browser's error console reports the following:
>>>>>
>>>>> <consoleOutput>
>>>>> Content Security Policy: Couldn't process unknown directive 'sandbox'
>>>>> <unknown>
>>>>> Content Security Policy: The page's settings blocked the loading of a
>>>>> resource at
>>>>>
>>>> https://builds.apache.org/job/Derby-
>>> docs/lastSuccessfulBuild/artifact/trunk/out/ref/toc.html
>>>>> ("default-src 'none'").
>>>>> </consoleOutput>
>>>>>
>>>>> The frames seem to have been intercepted in order to frustrate a
>>>>> possible Cross Frame Scripting attack, as described by the default
>>>>> Jenkins Content Security Policy:
>>>>>
>>>> https://wiki.jenkins-
>>> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
>>> ntentSecurityPolicy-Considerations
>>>>> The default Jenkins Content Security Policy assumes that Apache
>>>>> continuous-integration builds are exposed to the two risks listed here:
>>>>>
>>>>>
>>>> https://wiki.jenkins-
>>> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
>>> ntentSecurityPolicy-Considerations
>>>>> . I don't believe that Apache's Jenkins builds suffer from the first
>>>>> risk ("Are less trusted users allowed to create or modify files in
>>>>> Jenkins workspaces?"). That is because only trusted Apache committers
>>>>> can trigger Jenkins builds. Do Apache continuous-integration builds
>>>>> suffer from the second risk ("Are some slaves not fully trusted?").
>>>>>
>>>>> The Derby developers have begun discussing this problem at
>>>>>
>>>> http://apache-database.10148.n7.nabble.com/alpha-docs-not-being-
>>> generated-td145918.html
>>>>> . I would appreciate your advice about how we can stop html frames from
>>>>>
>>>>> being intercepted and blanked out when readers link to the
>>>>> Jenkins-built
>>>>> documentation.
>>>>>
>>>>> Thanks,
>>>>> -Rick
>>
>