因为文档的框架是沙盒,并且'allow-scripts'权限未设置 [英] because the document's frame is sandboxed and the 'allow-scripts' permission is not set
问题描述
我编写了一个程序,用这个头文件生成一个html文件:
,但我根本没有 iframe ,更不用说在沙箱中了。
当我在浏览器中打开页面(在Jenkins服务器上托管)时,我看不到css。
这些错误(安全策略)
我在stockoverflow上看到过一些帖子,说
< meta http-equiv =co ntent-typecontent =text / html; charset = utf-8;>
< meta http-equiv =Content-Security-Policycontent =script-src'self'http://onlineerp.solution.quebec'unsafe-inline' '不安全-EVAL'; style-src'self'maxcdn.bootstrapcdn.com>
但是正如您在我看到的打印屏幕,没有帮助
任何想法,我该如何解决这个问题?
你正在从Jenkins处理一个HTML页面,所以Jenkins控制响应头文件,而不是你的内容。最近强加严格的默认设置内容安全策略。您应该能够在响应头中看到Jenkins插入的Content-Security-Policy头。
一个解决方案是放松Jenkins配置,请参阅配置内容安全策略wiki页面了解详情:
可以通过设置系统属性 hudson.model.DirectoryBrowserSupport.CSP 修改由Jenkins发送的CSP头:
如果它的值是空字符串,例如
java -Dhudson.model.DirectoryBrowserSupport.CSP = -jar jenkins.war然后标题将不会被发送。
您可以尝试以下方式进行实验:
(警告!)这可能是非常不安全的,只能在查看整体安全设置后才能使用。使用 Jenkins脚本控制台进行不同的设置。要从外部网站启用CSS和图片,您可以使用以下内容:
System.setProperty(hudson.model.DirectoryBrowserSupport。 CSP,sandbox; default-src'self'; img-src'*'; style-src'*''unsafe-inline';)
另一种解决方案是将生成的页面发布(部署)到另一台可以控制内容安全策略的服务器上。
I wrote a program that generated an html file with this header:
but I don't have iframe at all, let alone in sandbox
When I open the page in the browser (hosted on a Jenkins server) I see no css.
These are the errors (security policy)
I have seen some posts on stockoverflow, saying the <meta> should be like:
<meta http-equiv="content-type" content="text/html; charset=utf-8 ;">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' http://onlineerp.solution.quebec 'unsafe-inline' 'unsafe-eval'; style-src 'self' maxcdn.bootstrapcdn.com">
but as you can see in my print screen that didn't help
any idea, how can I fix this?
You're serving an HTML page from Jenkins, so Jenkins controls the response headers, not your content. Recent security fixes in Jenkins imposed a strict default Content Security Policy. You should be able to see the Content-Security-Policy header inserted by Jenkins in the response headers.
One solution is to relax the Jenkins configuration, see the Configuring Content Security Policy wiki page for details:
The CSP header sent by Jenkins can be modified by setting the system property hudson.model.DirectoryBrowserSupport.CSP:
If its value is the empty string, e.g.
java -Dhudson.model.DirectoryBrowserSupport.CSP= -jar jenkins.warthen the header will not be sent at all.(Warning!) This is potentially very unsafe and should only be used after reviewing the overall security setup.
You can experiment with different settings using the Jenkins Script Console. To enable CSS and images from external sites, you could use something like:
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox; default-src 'self'; img-src '*'; style-src '*' 'unsafe-inline';")
Another solution is to publish (deploy) the generated page(s) on another server where you can control the content security policy.
这篇关于因为文档的框架是沙盒,并且'allow-scripts'权限未设置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
