www-builds mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Hillegas <rick.hille...@gmail.com>
Subject Re: blank html frames in Jenkins-built documentation
Date Sat, 07 May 2016 13:57:50 GMT
Thanks, Uwe and Chris. The change described on 
https://issues.apache.org/jira/browse/INFRA-11746 seems to have fixed 
the problem. I can now see Derby's Jenkins-generated, frames-based, 
html-formatted alpha docs.

Thanks,
-Rick

On 4/25/16 4:19 PM, Uwe Schindler wrote:
> I opened https://issues.apache.org/jira/browse/INFRA-11746
>
> Uwe
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>> -----Original Message-----
>> From: Andrew Bayer [mailto:andrew.bayer@gmail.com]
>> Sent: Sunday, April 24, 2016 8:09 PM
>> To: builds@apache.org
>> Cc: Rick Hillegas<rick.hillegas@gmail.com>; derby-dev@db.apache.org
>> Subject: Re: blank html frames in Jenkins-built documentation
>>
>> Please open an INFRA JIRA.
>>
>> On Sunday, April 24, 2016, Uwe Schindler<uschindler@apache.org>  wrote:
>>
>>> Hi,
>>>
>>> We have the same problem with our Lucene documentation. Some Lucene
>>> classes refer to JDK documentation. The links just result in a white page
>>> and the mentioned security warning in browser logs.
>>>
>>> For other Jenkins servers outside ASF the setting to disable this checks
>>> were added to prevent the javadocs problem.
>>>
>>> Unless Java 9 with the new Javadocs style comes, it is impossible to
>>> display Javadocs of previous versions with the frame security issues.
>>> Please disable this as described in Jenkins Wiki. Our build servers are
>>> under full control by infrastructure and comitters. Nobody from the outside
>>> can inject custom pages loaded in frames.
>>>
>>> Uwe
>>>
>>> Am 24. April 2016 16:34:16 MESZ, schrieb Rick Hillegas<
>>> rick.hillegas@gmail.com<javascript:;>>:
>>>> Hi Infrastructure experts,
>>>>
>>>> The Derby project uses Jenkins to build the latest version of our user
>>>> documentation. The resulting documents are linked from the Derby
>>>> website
>>>> here: http://db.apache.org/derby/manuals/index.html#latest. Some of
>> the
>>>> Jenkins-built documentation is in html format and it uses frames. The
>>>> Jenkins machines serve up those web pages as blank frames and my
>>>> Firefox
>>>> browser's error console reports the following:
>>>>
>>>> <consoleOutput>
>>>> Content Security Policy: Couldn't process unknown directive 'sandbox'
>>>> <unknown>
>>>> Content Security Policy: The page's settings blocked the loading of a
>>>> resource at
>>>>
>>> https://builds.apache.org/job/Derby-
>> docs/lastSuccessfulBuild/artifact/trunk/out/ref/toc.html
>>>> ("default-src 'none'").
>>>> </consoleOutput>
>>>>
>>>> The frames seem to have been intercepted in order to frustrate a
>>>> possible Cross Frame Scripting attack, as described by the default
>>>> Jenkins Content Security Policy:
>>>>
>>> https://wiki.jenkins-
>> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
>> ntentSecurityPolicy-Considerations
>>>> The default Jenkins Content Security Policy assumes that Apache
>>>> continuous-integration builds are exposed to the two risks listed here:
>>>>
>>>>
>>> https://wiki.jenkins-
>> ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
>> ntentSecurityPolicy-Considerations
>>>> . I don't believe that Apache's Jenkins builds suffer from the first
>>>> risk ("Are less trusted users allowed to create or modify files in
>>>> Jenkins workspaces?"). That is because only trusted Apache committers
>>>> can trigger Jenkins builds. Do Apache continuous-integration builds
>>>> suffer from the second risk ("Are some slaves not fully trusted?").
>>>>
>>>> The Derby developers have begun discussing this problem at
>>>>
>>> http://apache-database.10148.n7.nabble.com/alpha-docs-not-being-
>> generated-td145918.html
>>>> . I would appreciate your advice about how we can stop html frames from
>>>>
>>>> being intercepted and blanked out when readers link to the
>>>> Jenkins-built
>>>> documentation.
>>>>
>>>> Thanks,
>>>> -Rick
>


Mime
View raw message