Please open an INFRA JIRA. On Sunday, April 24, 2016, Uwe Schindler <uschind...@apache.org> wrote:
> Hi, > > We have the same problem with our Lucene documentation. Some Lucene > classes refer to JDK documentation. The links just result in a white page > and the mentioned security warning in browser logs. > > For other Jenkins servers outside ASF the setting to disable this checks > were added to prevent the javadocs problem. > > Unless Java 9 with the new Javadocs style comes, it is impossible to > display Javadocs of previous versions with the frame security issues. > Please disable this as described in Jenkins Wiki. Our build servers are > under full control by infrastructure and comitters. Nobody from the outside > can inject custom pages loaded in frames. > > Uwe > > Am 24. April 2016 16:34:16 MESZ, schrieb Rick Hillegas < > rick.hille...@gmail.com <javascript:;>>: > >Hi Infrastructure experts, > > > >The Derby project uses Jenkins to build the latest version of our user > >documentation. The resulting documents are linked from the Derby > >website > >here: http://db.apache.org/derby/manuals/index.html#latest. Some of the > > > >Jenkins-built documentation is in html format and it uses frames. The > >Jenkins machines serve up those web pages as blank frames and my > >Firefox > >browser's error console reports the following: > > > ><consoleOutput> > >Content Security Policy: Couldn't process unknown directive 'sandbox' > ><unknown> > >Content Security Policy: The page's settings blocked the loading of a > >resource at > > > https://builds.apache.org/job/Derby-docs/lastSuccessfulBuild/artifact/trunk/out/ref/toc.html > >("default-src 'none'"). > ></consoleOutput> > > > >The frames seem to have been intercepted in order to frustrate a > >possible Cross Frame Scripting attack, as described by the default > >Jenkins Content Security Policy: > > > https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringContentSecurityPolicy-Considerations > > > >The default Jenkins Content Security Policy assumes that Apache > >continuous-integration builds are exposed to the two risks listed here: > > > > > https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringContentSecurityPolicy-Considerations > > > >. I don't believe that Apache's Jenkins builds suffer from the first > >risk ("Are less trusted users allowed to create or modify files in > >Jenkins workspaces?"). That is because only trusted Apache committers > >can trigger Jenkins builds. Do Apache continuous-integration builds > >suffer from the second risk ("Are some slaves not fully trusted?"). > > > >The Derby developers have begun discussing this problem at > > > http://apache-database.10148.n7.nabble.com/alpha-docs-not-being-generated-td145918.html > > > >. I would appreciate your advice about how we can stop html frames from > > > >being intercepted and blanked out when readers link to the > >Jenkins-built > >documentation. > > > >Thanks, > >-Rick >
