You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-issues@apache.org by "Uwe Schindler (JIRA)" <ji...@apache.org> on 2016/05/07 17:11:13 UTC
[jira] [Comment Edited] (INFRA-11746) Change Jenkins Content
Security Policy
[ https://issues.apache.org/jira/browse/INFRA-11746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15275292#comment-15275292 ]
Uwe Schindler edited comment on INFRA-11746 at 5/7/16 5:11 PM:
---------------------------------------------------------------
Hi,
for Lucene the change did not yet fully solve the issue. We can now correctly show our own Javadocs, but Lucene refers to Oracle's Javadocs of the JDK. Those cannot be loaded into the frames. The change to before is now: the page is not white anymore, but instead Chrome does nothing when clicking on a link ointing to Oracle.
Example:
- go to: https://builds.apache.org/job/Lucene-Artifacts-master/javadoc/core/index.html
- click on "org.apache.lucene.index" package on the right
- open Javadocs for "CheckIndex"
- now try to click on interface "Closeable" or "Autocloseable". This refers to Javadocs hosted at Oracle. This link does not work anymore
In addition, the above homepage shows the following errors in the console:
==================================================================================================
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-LQyKYhDtOuxzwf/TXFXDmvYcnNMftwyH6sArCe90aeg='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the script 'https://builds.apache.org/job/Lucene-Artifacts-master/javadoc/core/script.js' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the script 'https://builds.apache.org/job/Lucene-Artifacts-master/javadoc/core/script.js' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the script 'https://builds.apache.org/job/Lucene-Artifacts-master/javadoc/core/script.js' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
GET https://builds.apache.org/job/Lucene-Artifacts-master/javadoc/core/resources/fonts/dejavu.css 404 (Not Found)
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-MzH73/Yoza8E/cX3v0BtmqvUeFG+hmeqUGg4miN9XRQ='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-PSqJLCEYMCvdHi3sIJz4fUsZj7ahzn993Yqv0aVfFOo='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-a9nx3qNPw6V9LrZWQmA7PXyVbV7uwfr9dOrRZBjSvMQ='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the script 'https://builds.apache.org/job/Lucene-Artifacts-master/javadoc/core/prettify.js' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-TQlkgVSdwmqM/rFmgHzxcEk2IdaV2B2n4tDYLuzP6j4='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to execute inline event handler because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to execute inline event handler because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
====================================================================================
This makes all Javascript not work, also inline styles are broken - e.g. If you go to Lucene's Documentation homepage (non-Javadoc): https://builds.apache.org/job/Lucene-Artifacts-master/javadoc/
Because of this the trademark symbol on the homepage is not shown in the correct way, you just see it plain text as TM and unformatted "Apache LuceneTM". The reason is the inline style that was prevented like above.
The following error is shown in Browser console:
========================================================================
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-nSz+3iQ/t8xa+8CyFEhj6ds7jjLG7RjKDUh0T57plb0='), or a nonce ('nonce-...') is required to enable inline execution.
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-BfWl8x/rk4BtDX5pTnTV7LPLzTDJx6UwkLjkqNy+tLM='), or a nonce ('nonce-...') is required to enable inline execution.
========================================================================
In addition syntax highlighting of examples does not work, because the required Javascript cannot be loaded, e.g. see https://builds.apache.org/job/Lucene-Artifacts-master/javadoc/core/org/apache/lucene/analysis/package-summary.html
(no syntax highlighting in the source code boxes).
In my opinion, please remove the Content-Security policy completely, or at least allow inline scripts, inline styles and foreign frame html.
Apache Lucene has another Jenkins server, which is used for the extensive EA-release testing together with Oracle (http://jenkins.thetaphi.de ), where the content security was disabled because of that. The reason for disabling the Content Security policy is simple: Only ASF committers can change the source code from which the Javadocs are generated, so there is no security risk (unless we have a bad committer). But then also the release Javadocs on https://lucene.apache.org could be problematic.
was (Author: thetaphi):
Hi,
for Lucene the change did not yet fully solve the issue. We can now correctly show our own Javadocs, but Lucene refers to Oracle's Javadocs of the JDK. Those cannot be loaded into the frames. The change to before is now: the page is not white anymore, but instead Chrome does nothing when clicking on a link ointing to Oracle.
Example:
- go to: https://builds.apache.org/job/Lucene-Artifacts-master/javadoc/core/index.html
- click on "org.apache.lucene.index" package on the right
- open Javadocs for "CheckIndex"
- now try to click on interface "Closeable" or "Autocloseable". This refers to Javadocs hosted at Oracle. This link does not work anymore
In addition, the above homepage shows the following errors in the console:
==================================================================================================
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-LQyKYhDtOuxzwf/TXFXDmvYcnNMftwyH6sArCe90aeg='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the script 'https://builds.apache.org/job/Lucene-Artifacts-master/javadoc/core/script.js' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the script 'https://builds.apache.org/job/Lucene-Artifacts-master/javadoc/core/script.js' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the script 'https://builds.apache.org/job/Lucene-Artifacts-master/javadoc/core/script.js' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
GET https://builds.apache.org/job/Lucene-Artifacts-master/javadoc/core/resources/fonts/dejavu.css 404 (Not Found)
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-MzH73/Yoza8E/cX3v0BtmqvUeFG+hmeqUGg4miN9XRQ='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-PSqJLCEYMCvdHi3sIJz4fUsZj7ahzn993Yqv0aVfFOo='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-a9nx3qNPw6V9LrZWQmA7PXyVbV7uwfr9dOrRZBjSvMQ='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the script 'https://builds.apache.org/job/Lucene-Artifacts-master/javadoc/core/prettify.js' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-TQlkgVSdwmqM/rFmgHzxcEk2IdaV2B2n4tDYLuzP6j4='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to execute inline event handler because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to execute inline event handler because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
====================================================================================
This makes all Javascript not work, also inline styles are broken - e.g. If you go to Lucene's Documentation homepage (non-Javadoc): https://builds.apache.org/job/Lucene-Artifacts-master/javadoc/
Because of this the trademark symbol on the homepage is not shown in the correct way, you just see it plain text as TM and unformatted "Apache LuceneTM". The reason is the inline style that was prevented like above.
The following error is shown in Browser console:
========================================================================
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-nSz+3iQ/t8xa+8CyFEhj6ds7jjLG7RjKDUh0T57plb0='), or a nonce ('nonce-...') is required to enable inline execution.
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-BfWl8x/rk4BtDX5pTnTV7LPLzTDJx6UwkLjkqNy+tLM='), or a nonce ('nonce-...') is required to enable inline execution.
========================================================================
In addition syntax highlighting of examples does not work, because the required Javascript cannot be loaded, e.g. see https://builds.apache.org/job/Lucene-Artifacts-master/javadoc/core/org/apache/lucene/analysis/package-summary.html
(no syntax highlighting in the source code boxes).
In my opinion, please remove the Content-Security policy completely, or at least allow inline scripts, inline styles and foreign frame html.
Apache Lucene has another Jenkins server, which is used for the extensive EA-release testing together with Oracle (http://jenkins.thetaphi.de), where the content security was disabled because of that. The reason for disabling the Content Security policy is simple: Only ASF committers can change the source code from which the Javadocs are generated, so there is no security risk (unless we have a bad committer). But then also the release Javadocs on https://lucene.apache.org could be problematic.
> Change Jenkins Content Security Policy
> --------------------------------------
>
> Key: INFRA-11746
> URL: https://issues.apache.org/jira/browse/INFRA-11746
> Project: Infrastructure
> Issue Type: Improvement
> Components: Jenkins
> Reporter: Uwe Schindler
> Assignee: Chris Lambertus
>
> Jenkins changed the default Content Security Policy when delivering the web pages to no longer allow foreign domains in frames. Unfortunately this prevents Javadocs or similar documentation from displaying correctly.
> The contents of stuff is under full control by the commiters of the projects, there is no security risk to disable this setting as described here: https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringContentSecurityPolicy-Considerations
> We should change this for ASF Jenkins instance to the state of the previous Jenkins LTS release.
> Several projects are affected by this:
> - Derby
> - Lucene
> See also mail on builds@ao: <https://mail-archives.apache.org/mod_mbox/www-builds/201604.mbox/%3CCAPbPdOYpULhAhgwSTc4Lvt%3DrJp9dvcNv5e%3D1%2BhS86WRHpZHR-Q%40mail.gmail.com%3E>
> The following would restore previous behaviour:
> The CSP header sent by Jenkins can be modified by setting the system property hudson.model.DirectoryBrowserSupport.CSP:
> If its value is the empty string, e.g. java -Dhudson.model.DirectoryBrowserSupport.CSP= -jar jenkins.war then the header will not be sent at all.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)