|
||||||||
|
This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira |
||||||||
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
@rborer @npfistner have you tried using (a snapshot of) the XFrame Filter plugin and just setting the header to blank (the empty string)? This causes Jenkins to send the header but with a blank value. If that is handled the same as an unset header by major browsers then this would be the easiest option.
Otherwise I think we need an extension point in core with matching GlobalSecurityConfiguration UI with two implementations in core: current SAMEORIGIN as default, and no header with a warning about resulting vulnerabilities; the XFrame Filter plugin would offer a third implementation: a customizable header, and perhaps in the future the possibility to adjust the header dynamically according to User-Agent and/or Referer.