www-builds mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uwe Schindler" <...@thetaphi.de>
Subject RE: blank html frames in Jenkins-built documentation
Date Mon, 25 Apr 2016 23:19:18 GMT
I opened https://issues.apache.org/jira/browse/INFRA-11746

Uwe

-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de

> -----Original Message-----
> From: Andrew Bayer [mailto:andrew.bayer@gmail.com]
> Sent: Sunday, April 24, 2016 8:09 PM
> To: builds@apache.org
> Cc: Rick Hillegas <rick.hillegas@gmail.com>; derby-dev@db.apache.org
> Subject: Re: blank html frames in Jenkins-built documentation
> 
> Please open an INFRA JIRA.
> 
> On Sunday, April 24, 2016, Uwe Schindler <uschindler@apache.org> wrote:
> 
> > Hi,
> >
> > We have the same problem with our Lucene documentation. Some Lucene
> > classes refer to JDK documentation. The links just result in a white page
> > and the mentioned security warning in browser logs.
> >
> > For other Jenkins servers outside ASF the setting to disable this checks
> > were added to prevent the javadocs problem.
> >
> > Unless Java 9 with the new Javadocs style comes, it is impossible to
> > display Javadocs of previous versions with the frame security issues.
> > Please disable this as described in Jenkins Wiki. Our build servers are
> > under full control by infrastructure and comitters. Nobody from the outside
> > can inject custom pages loaded in frames.
> >
> > Uwe
> >
> > Am 24. April 2016 16:34:16 MESZ, schrieb Rick Hillegas <
> > rick.hillegas@gmail.com <javascript:;>>:
> > >Hi Infrastructure experts,
> > >
> > >The Derby project uses Jenkins to build the latest version of our user
> > >documentation. The resulting documents are linked from the Derby
> > >website
> > >here: http://db.apache.org/derby/manuals/index.html#latest. Some of
> the
> > >
> > >Jenkins-built documentation is in html format and it uses frames. The
> > >Jenkins machines serve up those web pages as blank frames and my
> > >Firefox
> > >browser's error console reports the following:
> > >
> > ><consoleOutput>
> > >Content Security Policy: Couldn't process unknown directive 'sandbox'
> > ><unknown>
> > >Content Security Policy: The page's settings blocked the loading of a
> > >resource at
> > >
> > https://builds.apache.org/job/Derby-
> docs/lastSuccessfulBuild/artifact/trunk/out/ref/toc.html
> > >("default-src 'none'").
> > ></consoleOutput>
> > >
> > >The frames seem to have been intercepted in order to frustrate a
> > >possible Cross Frame Scripting attack, as described by the default
> > >Jenkins Content Security Policy:
> > >
> > https://wiki.jenkins-
> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
> ntentSecurityPolicy-Considerations
> > >
> > >The default Jenkins Content Security Policy assumes that Apache
> > >continuous-integration builds are exposed to the two risks listed here:
> > >
> > >
> > https://wiki.jenkins-
> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
> ntentSecurityPolicy-Considerations
> > >
> > >. I don't believe that Apache's Jenkins builds suffer from the first
> > >risk ("Are less trusted users allowed to create or modify files in
> > >Jenkins workspaces?"). That is because only trusted Apache committers
> > >can trigger Jenkins builds. Do Apache continuous-integration builds
> > >suffer from the second risk ("Are some slaves not fully trusted?").
> > >
> > >The Derby developers have begun discussing this problem at
> > >
> > http://apache-database.10148.n7.nabble.com/alpha-docs-not-being-
> generated-td145918.html
> > >
> > >. I would appreciate your advice about how we can stop html frames from
> > >
> > >being intercepted and blanked out when readers link to the
> > >Jenkins-built
> > >documentation.
> > >
> > >Thanks,
> > >-Rick
> >


Mime
View raw message