www-infrastructure-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Lambertus (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (INFRA-11746) Change Jenkins Content Security Policy
Date Wed, 11 May 2016 00:55:13 GMT

    [ https://issues.apache.org/jira/browse/INFRA-11746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15279325#comment-15279325

Chris Lambertus commented on INFRA-11746:

I'll need to discuss this a bit more here with [~abayer] at ACNA. Just discussed with the
infra folks at the table here and we've got some concerns that this is related to a Jenkins
security incident, so we're not ready to set this to "allow all." We'll put our heads together
and hopefully update this soon.

> Change Jenkins Content Security Policy
> --------------------------------------
>                 Key: INFRA-11746
>                 URL: https://issues.apache.org/jira/browse/INFRA-11746
>             Project: Infrastructure
>          Issue Type: Improvement
>          Components: Jenkins
>            Reporter: Uwe Schindler
>            Assignee: Chris Lambertus
> Jenkins changed the default Content Security Policy when delivering the web pages to
no longer allow foreign domains in frames. Unfortunately this prevents Javadocs or similar
documentation from displaying correctly.
> The contents of stuff is under full control by the commiters of the projects, there is
no security risk to disable this setting as described here: https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringContentSecurityPolicy-Considerations
> We should change this for ASF Jenkins instance to the state of the previous Jenkins LTS
> Several projects are affected by this:
> - Derby
> - Lucene
> See also mail on builds@ao: <https://mail-archives.apache.org/mod_mbox/www-builds/201604.mbox/%3CCAPbPdOYpULhAhgwSTc4Lvt%3DrJp9dvcNv5e%3D1%2BhS86WRHpZHR-Q%40mail.gmail.com%3E>
> The following would restore previous behaviour:
> The CSP header sent by Jenkins can be modified by setting the system property hudson.model.DirectoryBrowserSupport.CSP:
> If its value is the empty string, e.g. java -Dhudson.model.DirectoryBrowserSupport.CSP=
-jar jenkins.war then the header will not be sent at all.

This message was sent by Atlassian JIRA

View raw message