Elad Benda Elad Benda - 1 month ago 11
CSS Question

because the document's frame is sandboxed and the 'allow-scripts' permission is not set

I wrote a program that generated an html file with this header:

enter image description here

but I don't have

iframe
at all, let alone in sandbox

enter image description here

When I open the page in the browser (hosted on a Jenkins server) I see no css.

These are the errors (security policy)

enter image description here

I have seen some posts on stockoverflow, saying the
<meta>
should be like:

<meta http-equiv="content-type" content="text/html; charset=utf-8 ;">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' http://onlineerp.solution.quebec 'unsafe-inline' 'unsafe-eval'; style-src 'self' maxcdn.bootstrapcdn.com">


but as you can see in my print screen that didn't help

any idea, how can I fix this?

Answer

You're serving an HTML page from Jenkins, so Jenkins controls the response headers, not your content. Recent security fixes in Jenkins imposed a strict default Content Security Policy. You should be able to see the Content-Security-Policy header inserted by Jenkins in the response headers.

One solution is to relax the Jenkins configuration, see the Configuring Content Security Policy wiki page for details:

The CSP header sent by Jenkins can be modified by setting the system property hudson.model.DirectoryBrowserSupport.CSP:

If its value is the empty string, e.g. java -Dhudson.model.DirectoryBrowserSupport.CSP= -jar jenkins.war then the header will not be sent at all.

(Warning!) This is potentially very unsafe and should only be used after reviewing the overall security setup.

You can experiment with different settings using the Jenkins Script Console. To enable CSS and images from external sites, you could use something like:

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox; default-src 'self'; img-src '*'; style-src '*' 'unsafe-inline';")

Another solution is to publish (deploy) the generated page(s) on another server where you can control the content security policy.

Comments