I opened https://issues.apache.org/jira/browse/INFRA-11746
Uwe ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: [email protected] > -----Original Message----- > From: Andrew Bayer [mailto:[email protected]] > Sent: Sunday, April 24, 2016 8:09 PM > To: [email protected] > Cc: Rick Hillegas <[email protected]>; [email protected] > Subject: Re: blank html frames in Jenkins-built documentation > > Please open an INFRA JIRA. > > On Sunday, April 24, 2016, Uwe Schindler <[email protected]> wrote: > > > Hi, > > > > We have the same problem with our Lucene documentation. Some Lucene > > classes refer to JDK documentation. The links just result in a white page > > and the mentioned security warning in browser logs. > > > > For other Jenkins servers outside ASF the setting to disable this checks > > were added to prevent the javadocs problem. > > > > Unless Java 9 with the new Javadocs style comes, it is impossible to > > display Javadocs of previous versions with the frame security issues. > > Please disable this as described in Jenkins Wiki. Our build servers are > > under full control by infrastructure and comitters. Nobody from the outside > > can inject custom pages loaded in frames. > > > > Uwe > > > > Am 24. April 2016 16:34:16 MESZ, schrieb Rick Hillegas < > > [email protected] <javascript:;>>: > > >Hi Infrastructure experts, > > > > > >The Derby project uses Jenkins to build the latest version of our user > > >documentation. The resulting documents are linked from the Derby > > >website > > >here: http://db.apache.org/derby/manuals/index.html#latest. Some of > the > > > > > >Jenkins-built documentation is in html format and it uses frames. The > > >Jenkins machines serve up those web pages as blank frames and my > > >Firefox > > >browser's error console reports the following: > > > > > ><consoleOutput> > > >Content Security Policy: Couldn't process unknown directive 'sandbox' > > ><unknown> > > >Content Security Policy: The page's settings blocked the loading of a > > >resource at > > > > > https://builds.apache.org/job/Derby- > docs/lastSuccessfulBuild/artifact/trunk/out/ref/toc.html > > >("default-src 'none'"). > > ></consoleOutput> > > > > > >The frames seem to have been intercepted in order to frustrate a > > >possible Cross Frame Scripting attack, as described by the default > > >Jenkins Content Security Policy: > > > > > https://wiki.jenkins- > ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo > ntentSecurityPolicy-Considerations > > > > > >The default Jenkins Content Security Policy assumes that Apache > > >continuous-integration builds are exposed to the two risks listed here: > > > > > > > > https://wiki.jenkins- > ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo > ntentSecurityPolicy-Considerations > > > > > >. I don't believe that Apache's Jenkins builds suffer from the first > > >risk ("Are less trusted users allowed to create or modify files in > > >Jenkins workspaces?"). That is because only trusted Apache committers > > >can trigger Jenkins builds. Do Apache continuous-integration builds > > >suffer from the second risk ("Are some slaves not fully trusted?"). > > > > > >The Derby developers have begun discussing this problem at > > > > > http://apache-database.10148.n7.nabble.com/alpha-docs-not-being- > generated-td145918.html > > > > > >. I would appreciate your advice about how we can stop html frames from > > > > > >being intercepted and blanked out when readers link to the > > >Jenkins-built > > >documentation. > > > > > >Thanks, > > >-Rick > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
