Jenkins内容安全策略 [英] Jenkins Content Security Policy

问题描述

我知道这些网站：

• 配置内容安全政策 li>
  
• 内容安全策略参考

我有一个通过Jenkins Clover Plugin显示的html页面。这个html页面使用内联样式，例如：

 < div class ='greenbar'style ='width：58px'> 
  

div元素可视化一个进度条。
使用默认的Jenkins CSP配置会产生以下结果：
Progressbar_FAIL a>

我想要的结果如下所示：
Progressbar_WORKS

我尝试放宽CSP规则，添加不同的参数组合（script-src，style-src）不同的级别（自我，不安全，内联，..），但没有任何作品。

所以我现在的问题：

1. 我必须在哪里指定CSP配置？


2. 是否可以使用内联样式？


3. 样式应该放在哪里？我的CSS样式表位于Jenkins服务器上的本地。


4. 什么是让内联风格和CSP规则满意的最佳方式

更新

1。在jenkins.xml文件中尝试：
-Dhudson.model.DirectoryBrowserSupport.CSP =default-src'self'
。然后发生以下错误：

拒绝应用内联样式，因为它违反了以下
内容安全策略指令：default- src'self'。需要
'unsafe-inline'关键字，一个散列（'sha256-'）或一个nonce
（'nonce -...'）来启用内联执行。还要注意
'style-src'没有明确设置，所以'default-src'被用作
后备。

2。尝试
-Dhudson.model.DirectoryBrowserSupport.CSP =default-src'self'; jenkins.xml文件中的style-src'self'。然后出现以下错误：

拒绝应用内联样式，因为它违反了以下
内容安全策略指令：style- src'self'。内联执行需要
'unsafe-inline'关键字，一个散列
（'sha256-'）或一个nonce
（'nonce -...'） p>

我明白这个尝试不能解决我的问题，因为default-src包含style-src

3。在jenkins中尝试
-Dhudson.model.DirectoryBrowserSupport.CSP =default-src'self'; style-src'unsafe-inline'然后发生以下错误：

lockquote

拒绝加载样式表
s：// jenkins / andsomedir / stylesheet。 css [它的https：// ...不允许发布两个以上的链接:(]
，因为它违反了以下内容安全策略指令：
style-src'unsafe-inline'。

解决方案

在进行实验时，我建议使用Script Console根据描述动态调整CSP参数在配置内容安全策略页面。（Jenkins wiki中还有一个注释页面，表明您可能需要强制重新载入页面以查看新设置。）

为了同时使用内联样式和本地样式您需要添加 self 和 unsafe-inline ：

  System.setProperty（hudson.model.DirectoryBrowserSupport.CSP，default-src'self'; style-src'self''unsafe-inline';）
  

根据进度条的操作方式，您可能需要以相同的方式调整'script-src'。

一旦找到可用的设置，您可以调整Jenkins启动脚本以添加CSP参数定义。

I'm confused about Jenkins Content Security Policy.

I know these sites:

• Configuring Content Security Policy
• Content Security Policy Reference

I have a html page shown via Jenkins Clover Plugin. This html page uses inline style, e.g.:

<div class='greenbar' style='width:58px'>

The div-element visualizes a progressbar. Using the default Jenkins CSP configuration leads to the following result: Progressbar_FAIL

The result i want to have looks like this: Progressbar_WORKS

I tried to relax the CSP rules, adding different combinations of parameters (script-src, style-src) with different levels (self, unsafe-inline,..) but nothing works.

So my questions for now:

1. Where do i have to specify the CSP configuration?
2. Is it possible to use inline styles?
3. Where should the styles be located? My css-stylesheets are located local on the Jenkins Server.
4. What is the best way to get inline style and CSP rules "satisfied"

Update

1. Try: -Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self' in the jenkins.xml file. Then the following error occurs:

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

2. Try -Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'; style-src 'self' in the jenkins.xml file. Then the following error occurs:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-'), or a nonce ('nonce-...') is required to enable inline execution

I understand that this try can not solve my problem, because default-src includes style-src

3. Try -Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'; style-src 'unsafe-inline' in the jenkins.xml file. Then the following error occurs:

Refused to load the stylesheet s://jenkins/andsomedir/stylesheet.css [its https://... not allowed to post more than two links :(] because it violates the following Content Security Policy directive: "style-src 'unsafe-inline'".

解决方案

While experimenting, I recommend using the Script Console to adjust the CSP parameter dynamically as described on the Configuring Content Security Policy page. (There's another note in the Jenkins wiki page that indicates you may need to Force Reload the page to see the new settings.)

In order to use both inline styles and local stylesheets, you need to add both self and unsafe-inline:

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; style-src 'self' 'unsafe-inline';")

Depending on how the progressbar is manipulated, you may need to adjust 'script-src' in the same way as well.

Once you find a setting that works, you can adjust the Jenkins startup script to add the CSP parameter definition.

这篇关于Jenkins内容安全策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！