You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-issues@apache.org by "Bryan Pendleton (JIRA)" <ji...@apache.org> on 2016/07/21 13:47:20 UTC
[jira] [Commented] (INFRA-11746) Change Jenkins Content Security
Policy
[ https://issues.apache.org/jira/browse/INFRA-11746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15387712#comment-15387712 ]
Bryan Pendleton commented on INFRA-11746:
-----------------------------------------
This problem seems to be re-occurring -- has the configuration change been altered?
The Derby docs on the Jenkins site are displaying with blank frames,and the browser
console says:
Refused to frame 'https://builds.apache.org/job/Derby-docs/lastBuild/artifact/trunk/out/ref/toc.html'
because it violates the following Content Security Policy directive: "default-src 'none'".
Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
Can somebody please have a look?
> Change Jenkins Content Security Policy
> --------------------------------------
>
> Key: INFRA-11746
> URL: https://issues.apache.org/jira/browse/INFRA-11746
> Project: Infrastructure
> Issue Type: Improvement
> Components: Jenkins
> Reporter: Uwe Schindler
> Assignee: Chris Lambertus
>
> Jenkins changed the default Content Security Policy when delivering the web pages to no longer allow foreign domains in frames. Unfortunately this prevents Javadocs or similar documentation from displaying correctly.
> The contents of stuff is under full control by the commiters of the projects, there is no security risk to disable this setting as described here: https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringContentSecurityPolicy-Considerations
> We should change this for ASF Jenkins instance to the state of the previous Jenkins LTS release.
> Several projects are affected by this:
> - Derby
> - Lucene
> See also mail on builds@ao: <https://mail-archives.apache.org/mod_mbox/www-builds/201604.mbox/%3CCAPbPdOYpULhAhgwSTc4Lvt%3DrJp9dvcNv5e%3D1%2BhS86WRHpZHR-Q%40mail.gmail.com%3E>
> The following would restore previous behaviour:
> The CSP header sent by Jenkins can be modified by setting the system property hudson.model.DirectoryBrowserSupport.CSP:
> If its value is the empty string, e.g. java -Dhudson.model.DirectoryBrowserSupport.CSP= -jar jenkins.war then the header will not be sent at all.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)