On 03.02.2015, at 16:29, Wt Riker <wtriker....@gmail.com> wrote: > The link is: > > http://jenkins.server.com:8080/static/452bd4e7/scripts/yui/connection/connection-min.js
Better readable file: https://github.com/jenkinsci/jenkins/blob/master/war/src/main/webapp/scripts/yui/connection/connection-debug.js#L1046 It's part of the YUI library and used to enable cross-domain requests. According to https://helpx.adobe.com/flash-player/kb/changes-allowscriptaccess-default-flash-player.html doing this requires AllowScriptAccess 'always'. > It protects an HTML file from a potentially untrusted SWF file, by > controlling the ability of that SWF file to call JavaScript code in the > surrounding HTML file. AllowScriptAccess has three possible values: "always", > "sameDomain", and "never". I'm not a Flash expert, but as the SWF file used here is connection.swf from the same library (YUI) and should be trusted, and any embedding only happens for deliberate cross-domain requests, this doesn't seem to be a real issue. If you have further information that shows this is an actual problem, please submit a report with further information to the SECURITY project in Jira. https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories#SecurityAdvisories-ReportSecurityProblems https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/3D4C5CEB-A326-4EC3-BE8E-4F77E250D31B%40beckweb.net. For more options, visit https://groups.google.com/d/optout.
