Html Jenkins 内容安全策略
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/37618892/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Jenkins Content Security Policy
提问by Thomas
I'm confused about Jenkins Content Security Policy.
我对 Jenkins 内容安全策略感到困惑。
I know these sites:
我知道这些网站:
I have a html page shown via Jenkins Clover Plugin. This html page uses inline style, e.g.:
我有一个通过 Jenkins Clover 插件显示的 html 页面。此 html 页面使用内联样式,例如:
<div class='greenbar' style='width:58px'>
The div-element visualizes a progressbar. Using the default Jenkins CSP configuration leads to the following result: Progressbar_FAIL
div 元素将进度条可视化。使用默认的 Jenkins CSP 配置会导致以下结果: Progressbar_FAIL
The result i want to have looks like this: Progressbar_WORKS
我想要的结果如下所示: Progressbar_WORKS
I tried to relax the CSP rules, adding different combinations of parameters (script-src, style-src) with different levels (self, unsafe-inline,..) but nothing works.
我试图放宽 CSP 规则,添加不同级别(self、unsafe-inline 等)的不同参数组合(script-src、style-src),但没有任何效果。
So my questions for now:
所以我现在的问题:
- Where do i have to specify the CSP configuration?
- Is it possible to use inline styles?
- Where should the styles be located? My css-stylesheets are located local on the Jenkins Server.
- What is the best way to get inline style and CSP rules "satisfied"
- 我必须在哪里指定 CSP 配置?
- 是否可以使用内联样式?
- 样式应该放在哪里?我的 css 样式表位于 Jenkins 服务器的本地。
- 获得内联样式和 CSP 规则“满足”的最佳方法是什么
Update
更新
1. Try:-Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'in the jenkins.xml file. Then the following error occurs:
1. 尝试:-Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'在 jenkins.xml 文件中。然后出现以下错误:
Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
拒绝应用内联样式,因为它违反了以下内容安全策略指令:“default-src 'self'”。启用内联执行需要“unsafe-inline”关键字、哈希(“sha256-”)或随机数(“nonce-...”)。还要注意 'style-src' 没有明确设置,所以 'default-src' 用作后备。
2. Try-Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'; style-src 'self'in the jenkins.xml file. Then the following error occurs:
2.-Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'; style-src 'self'在 jenkins.xml 文件中尝试。然后出现以下错误:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-'), or a nonce ('nonce-...') is required to enable inline execution
拒绝应用内联样式,因为它违反了以下内容安全策略指令:“style-src 'self'”。启用内联执行需要“unsafe-inline”关键字、哈希(“sha256-”)或随机数(“nonce-...”)
I understand that this try can not solve my problem, because default-src includes style-src
我知道这个尝试不能解决我的问题,因为 default-src 包括 style-src
3. Try-Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'; style-src 'unsafe-inline'in the jenkins.xml file. Then the following error occurs:
3.-Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'; style-src 'unsafe-inline'在 jenkins.xml 文件中尝试。然后出现以下错误:
Refused to load the stylesheet s://jenkins/andsomedir/stylesheet.css [its https://... not allowed to post more than two links :(] because it violates the following Content Security Policy directive: "style-src 'unsafe-inline'".
拒绝加载样式表 s://jenkins/andsomedir/stylesheet.css [它的 https://... 不允许发布两个以上的链接 :(] 因为它违反了以下内容安全策略指令:“style-src '不安全的内联'”。
回答by Dave Bacher
While experimenting, I recommend using the Script Console to adjust the CSP parameter dynamically as described on the Configuring Content Security Policypage. (There's another note in the Jenkins wiki page that indicates you may need to Force Reload the page to see the new settings.)
在试验时,我建议使用脚本控制台动态调整 CSP 参数,如配置内容安全策略页面所述。(Jenkins wiki 页面中有另一条注释,表明您可能需要强制重新加载页面以查看新设置。)
In order to use both inline styles and local stylesheets, you need to add both selfand unsafe-inline:
为了同时使用内联样式和本地样式表,您需要添加self和unsafe-inline:
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; style-src 'self' 'unsafe-inline';")
Depending on how the progressbar is manipulated, you may need to adjust 'script-src' in the same way as well.
根据进度条的操作方式,您可能还需要以相同的方式调整“script-src”。
Once you find a setting that works, you can adjust the Jenkins startup script to add the CSP parameter definition.
找到有效的设置后,您可以调整 Jenkins 启动脚本以添加 CSP 参数定义。
回答by de.la.ru
Just to be clear about setting this CSP property permanently on Jenkins.
只是要清楚在 Jenkins 上永久设置此 CSP 属性。
If you are running Jenkins on Ubuntu:
如果您在Ubuntu上运行 Jenkins :
$ vim /etc/default/jenkins- Find the line with
JAVA_ARGSand add the CSP policy like this:JAVA_ARGS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src data:;\""
$ vim /etc/default/jenkins- 找到以下行
JAVA_ARGS并添加 CSP 策略:JAVA_ARGS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src data:;\""
If you are running Jenkins on CentOS:
如果您在CentOS上运行 Jenkins :
$ vim /etc/sysconfig/jenkins- Find the line with
JENKINS_JAVA_OPTIONSand add the CSP policy like this:JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src data:;\""
$ vim /etc/sysconfig/jenkins- 找到以下行
JENKINS_JAVA_OPTIONS并添加 CSP 策略:JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src data:;\""
Save the file and restart Jenkins.
$ sudo service jenkins restartor in your browser http://localhost:8080/safeRestart
保存文件并重新启动 Jenkins。
$ sudo service jenkins restart或在您的浏览器中http://localhost:8080/safeRestart
回答by Bhupender Kumawat
To add more to the @Kirill's answer ...
要在@Kirill 的回答中添加更多内容...
If jenkins is deployed in tomcatcontainer, set the CATALINA_OPTSenvironment value in setenv.sh file( Present in ${CATALINA_BASE}/binFolder ) as highlighted below:-
如果 jenkins 部署在tomcat容器中,请CATALINA_OPTS在setenv.sh file( Present in ${CATALINA_BASE}/binFolder )中设置环境值,如下突出显示:-
export CATALINA_OPTS="-Xmx2048m -Xms2048m -XX:MaxNewSize=768m -XX:-HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=${CATALINA_BASE}/logs/java.hprof -XX:ParallelGCThreads=2 -XX:-UseConcMarkSweepGC -Dcom.sun.management.jmxremote -Dhudson.model.DirectoryBrowserSupport.CSP=\"\"
or
或者
export CATALINA_OPTS="-Xmx2048m -Xms2048m -XX:MaxNewSize=768m -XX:-HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/software/jenkins/tomcat_jenkins/logs/java.hprof -XX:ParallelGCThreads=2 -XX:-UseConcMarkSweepGC -Dcom.sun.management.jmxremote -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-scripts; default-src 'self'; script-src *; 'unsafe-eval'; img-src *; style-src *; 'unsafe-inline'; font-src *;\
After Changing the above file, restart the tomcat. It worked like charm to me. Hope it helps :)
更改上述文件后,重新启动tomcat. 它对我来说就像魅力一样。希望能帮助到你 :)
Note:- CSP is only applicable for the plugins like HTML publisher, maven plugin . It didn't work for email html file.
注意:- CSP 仅适用于 HTML 发布者、maven 插件等插件。它不适用于电子邮件 html 文件。
回答by manuelbcd
Trying to share my procedures I always follow one of theseworkarounds. However you need to pay attention to your security constraints since applying these fixes would be potentially insecure.
尝试分享我的程序时,我总是遵循这些变通方法之一。但是,您需要注意安全限制,因为应用这些修复程序可能不安全。
- Temporal fix:
- 临时修复:
Go to Jenkins console and applythe following commands depending on the kind of CSP policies relaxation that you want.
转到 Jenkins 控制台并根据所需的 CSP 策略放宽类型应用以下命令。
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts; default-src 'self'; style-src 'self' 'unsafe-inline'; script-src * 'unsafe-inline';")
This workaround is aimed for temporal tests or dev environment.
此解决方法旨在用于临时测试或开发环境。
If you want to change it permanently add this to the java command when you run the application:
如果要永久更改它,请在运行应用程序时将其添加到 java 命令中:
-Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-scripts; default-src 'self'; style-src 'self' 'unsafe-inline';"
Finally I strongly suggest you to read these articles:
最后我强烈建议你阅读这些文章:
Official Jenkins documentation https://wiki.jenkins.io/display/JENKINS/Configuring+Content+Security+Policy
Jenkins 官方文档 https://wiki.jenkins.io/display/JENKINS/Configuring+Content+Security+Policy
Workarounds to reset CSP rules temporary or permanently: https://www.cyotek.com/blog/adjusting-the-jenkins-content-security-policy
临时或永久重置 CSP 规则的解决方法:https: //www.cyotek.com/blog/adjusting-the-jenkins-content-security-policy
回答by kolukuri
Below properties worked for me. The following properties allow all the external servers.
以下属性对我有用。以下属性允许所有外部服务器。
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';")
回答by Nakul
I too had a similar issue. The below solution worked for me.
我也有类似的问题。以下解决方案对我有用。
java -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-scripts allow-popups allow-popups-to-escape-sandbox; style-src 'unsafe-inline' *;" -Dsvnkit.http.sslProtocols=TLSv1 -jar C:/server/Jenkins.war --httpPort=8280
