Jenkins 内容安全策略 [英] Jenkins Content Security Policy

问题描述

我对 Jenkins 内容安全政策感到困惑.

我知道这些网站:

• 配置内容安全策略
• 内容安全政策参考

我有一个通过 Jenkins Clover 插件显示的 html 页面.此html页面使用内联样式，例如:

div 元素将进度条可视化.使用默认的 Jenkins CSP 配置会导致以下结果:Progressbar_FAIL

我想要的结果是这样的:Progressbar_WORKS

我尝试放宽 CSP 规则，添加不同级别(self、unsafe-inline 等)的不同参数组合(script-src、style-src)，但没有任何效果.

所以我现在的问题:

1. 我必须在哪里指定 CSP 配置?
2. 是否可以使用内联样式?
3. 样式应该放在哪里?我的 css 样式表位于 Jenkins 服务器的本地.
4. 满足"内联样式和 CSP 规则的最佳方法是什么

更新

1.尝试:-Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'在 jenkins.xml 文件中.然后出现如下错误:

<块引用>

拒绝应用内联样式，因为它违反了以下内容内容安全策略指令:default-src 'self'".无论是'unsafe-inline' 关键字、哈希值 ('sha256-') 或随机数('nonce-...') 是启用内联执行所必需的.还要注意的是'style-src' 没有明确设置，所以 'default-src' 用作回退.

2.试试-Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'; style-src 'self' jenkins.xml 文件中，然后出现如下错误:

<块引用>

拒绝应用内联样式，因为它违反了以下内容内容安全策略指令:style-src 'self'".无论是'unsafe-inline' 关键字，一个散列('sha256-')，或一个随机数('nonce-...') 需要启用内联执行

我知道这个尝试不能解决我的问题，因为 default-src 包括 style-src

3.试试-Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'; style-src 'unsafe-inline' 在 jenkins.xml 文件中.然后出现如下错误:

<块引用>

拒绝加载样式表s://jenkins/andsomedir/stylesheet.css [它的 https://... 不允许发布两个以上的链接:(]因为它违反了以下内容安全策略指令:style-src 'unsafe-inline'".

解决方案

在试验过程中，我建议使用脚本控制台动态调整 CSP 参数，如 配置内容安全策略页面.(Jenkins wiki 页面中有另一条注释，表明您可能需要强制重新加载页面才能查看新设置.)

为了同时使用内联样式和本地样式表，您需要添加 self 和 unsafe-inline:

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; style-src 'self' 'unsafe-inline';")

根据进度条的操作方式，您可能还需要以相同的方式调整script-src".

找到有效的设置后，您可以调整 Jenkins 启动脚本以添加 CSP 参数定义.

I'm confused about Jenkins Content Security Policy.

I know these sites:

• Configuring Content Security Policy
• Content Security Policy Reference

I have a html page shown via Jenkins Clover Plugin. This html page uses inline style, e.g.:

<div class='greenbar' style='width:58px'>

The div-element visualizes a progressbar. Using the default Jenkins CSP configuration leads to the following result: Progressbar_FAIL

The result i want to have looks like this: Progressbar_WORKS

I tried to relax the CSP rules, adding different combinations of parameters (script-src, style-src) with different levels (self, unsafe-inline,..) but nothing works.

So my questions for now:

1. Where do i have to specify the CSP configuration?
2. Is it possible to use inline styles?
3. Where should the styles be located? My css-stylesheets are located local on the Jenkins Server.
4. What is the best way to get inline style and CSP rules "satisfied"

Update

1. Try: -Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self' in the jenkins.xml file. Then the following error occurs:

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

2. Try -Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'; style-src 'self' in the jenkins.xml file. Then the following error occurs:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-'), or a nonce ('nonce-...') is required to enable inline execution

I understand that this try can not solve my problem, because default-src includes style-src

3. Try -Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'; style-src 'unsafe-inline' in the jenkins.xml file. Then the following error occurs:

Refused to load the stylesheet s://jenkins/andsomedir/stylesheet.css [its https://... not allowed to post more than two links :(] because it violates the following Content Security Policy directive: "style-src 'unsafe-inline'".

解决方案

While experimenting, I recommend using the Script Console to adjust the CSP parameter dynamically as described on the Configuring Content Security Policy page. (There's another note in the Jenkins wiki page that indicates you may need to Force Reload the page to see the new settings.)

In order to use both inline styles and local stylesheets, you need to add both self and unsafe-inline:

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; style-src 'self' 'unsafe-inline';")

Depending on how the progressbar is manipulated, you may need to adjust 'script-src' in the same way as well.

Once you find a setting that works, you can adjust the Jenkins startup script to add the CSP parameter definition.

这篇关于Jenkins 内容安全策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！