because the document's frame is sandboxed and the 'allow-scripts' permission is not set

Asked 26/1, 2016 at 16:26 Answered 8/5 at 17:2

I wrote a program that generated an html file with this header:

but I don't have iframe at all, let alone in sandbox

When I open the page in the browser (hosted on a Jenkins server) I see no css.

These are the errors (security policy)

I have seen some posts on stockoverflow, saying the <meta> should be like:

<meta http-equiv="content-type" content="text/html; charset=utf-8 ;">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' http://onlineerp.solution.quebec 'unsafe-inline' 'unsafe-eval'; style-src 'self' maxcdn.bootstrapcdn.com">

but as you can see in my print screen that didn't help

any idea, how can I fix this?

Jewelry answered 26/1, 2016 at 16:26 Comment(5)

This is due to security changes in Jenkins, see https://mcmap.net/q/168843/-jenkins-html-publisher-plugin-no-external-links-with-jenkins-1-643/172599 – Murphy 26/1, 2016 at 16:58

why downvote? I don't get it – Jewelry 26/1, 2016 at 17:37

There are a number of things that could be improved in this post: 1) the title does not explain the problem ("Why is CSS blocked by the Content Security Policy in my document"), 2) the error messages are only shown in a small font in an image (which makes them both hard to read and non-searchable), 3) the phrase "but I don't have iframe at all, let alone in sandbox" makes no sense. – Murphy 27/1, 2016 at 7:4

Thanks 1) I'm used to search posts in SOF by error text. So I thought this will make this post more searchable 2) the images are easy so click and expand. No small fonts 3) makes no sense to me as well. That's why i asked and couldn't use answers from other posts – Jewelry 27/1, 2016 at 10:4

Possible duplicate of Blocked script execution in <URL>. because the document's frame is sandboxed and the 'allow-scripts' permission is not set – Bertsche 17/8, 2016 at 12:58

You're serving an HTML page from Jenkins, so Jenkins controls the response headers, not your content. Recent security fixes in Jenkins imposed a strict default Content Security Policy. You should be able to see the Content-Security-Policy header inserted by Jenkins in the response headers.

One solution is to relax the Jenkins configuration, see the Configuring Content Security Policy wiki page for details:

The CSP header sent by Jenkins can be modified by setting the system property hudson.model.DirectoryBrowserSupport.CSP:

If its value is the empty string, e.g. java -Dhudson.model.DirectoryBrowserSupport.CSP= -jar jenkins.war then the header will not be sent at all.

(Warning!) This is potentially very unsafe and should only be used after reviewing the overall security setup.

You can experiment with different settings using the Jenkins Script Console. To enable CSS and images from external sites, you could use something like:

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox; default-src 'self'; img-src '*'; style-src '*' 'unsafe-inline';")

Another solution is to publish (deploy) the generated page(s) on another server where you can control the content security policy.

Murphy answered 27/1, 2016 at 7:3 Comment(2)

yes. I see "Content-Security-Policy:sandbox; default-src 'none'; img-src 'self'; style-src 'self';" – Jewelry 27/1, 2016 at 10:18

is there any solution where i continue deploying on jenkins and not relaxing jenkins to all files on our team machine? – Jewelry 27/1, 2016 at 10:23

Let me elaborate on the solution proposal from Dave "Another solution is to publish (deploy) the generated page(s) on another server where you can control the content security policy."

We were faced with the same problem as the OP and solved it by generating a second, separate subdomain/DNS entry for the same server, i.e.

www.domain.com -- original jenkins
static.domain.com -- jenkins static delivery

In Jenkins -> Manage -> System go to "Serve resource files from another domain" and set "Resource Root URL" to static.domain.com.

Now the problem was indeed gone and we could e.g. publish HTML reports easily from Jenkins.

Simonasimonds answered 8/5 at 17:2 Comment(0)

Recommended topics

Hot tags