Thanks, Uwe and Chris. The change described on
https://issues.apache.org/jira/browse/INFRA-11746 seems to have fixed
the problem. I can now see Derby's Jenkins-generated, frames-based,
html-formatted alpha docs.
Thanks,
-Rick
On 4/25/16 4:19 PM, Uwe Schindler wrote:
I opened https://issues.apache.org/jira/browse/INFRA-11746
Uwe
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: [email protected]
-----Original Message-----
From: Andrew Bayer [mailto:[email protected]]
Sent: Sunday, April 24, 2016 8:09 PM
To: [email protected]
Cc: Rick Hillegas<[email protected]>; [email protected]
Subject: Re: blank html frames in Jenkins-built documentation
Please open an INFRA JIRA.
On Sunday, April 24, 2016, Uwe Schindler<[email protected]> wrote:
Hi,
We have the same problem with our Lucene documentation. Some Lucene
classes refer to JDK documentation. The links just result in a white page
and the mentioned security warning in browser logs.
For other Jenkins servers outside ASF the setting to disable this checks
were added to prevent the javadocs problem.
Unless Java 9 with the new Javadocs style comes, it is impossible to
display Javadocs of previous versions with the frame security issues.
Please disable this as described in Jenkins Wiki. Our build servers are
under full control by infrastructure and comitters. Nobody from the outside
can inject custom pages loaded in frames.
Uwe
Am 24. April 2016 16:34:16 MESZ, schrieb Rick Hillegas<
[email protected]<javascript:;>>:
Hi Infrastructure experts,
The Derby project uses Jenkins to build the latest version of our user
documentation. The resulting documents are linked from the Derby
website
here: http://db.apache.org/derby/manuals/index.html#latest. Some of
the
Jenkins-built documentation is in html format and it uses frames. The
Jenkins machines serve up those web pages as blank frames and my
Firefox
browser's error console reports the following:
<consoleOutput>
Content Security Policy: Couldn't process unknown directive 'sandbox'
<unknown>
Content Security Policy: The page's settings blocked the loading of a
resource at
https://builds.apache.org/job/Derby-
docs/lastSuccessfulBuild/artifact/trunk/out/ref/toc.html
("default-src 'none'").
</consoleOutput>
The frames seem to have been intercepted in order to frustrate a
possible Cross Frame Scripting attack, as described by the default
Jenkins Content Security Policy:
https://wiki.jenkins-
ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
ntentSecurityPolicy-Considerations
The default Jenkins Content Security Policy assumes that Apache
continuous-integration builds are exposed to the two risks listed here:
https://wiki.jenkins-
ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringCo
ntentSecurityPolicy-Considerations
. I don't believe that Apache's Jenkins builds suffer from the first
risk ("Are less trusted users allowed to create or modify files in
Jenkins workspaces?"). That is because only trusted Apache committers
can trigger Jenkins builds. Do Apache continuous-integration builds
suffer from the second risk ("Are some slaves not fully trusted?").
The Derby developers have begun discussing this problem at
http://apache-database.10148.n7.nabble.com/alpha-docs-not-being-
generated-td145918.html
. I would appreciate your advice about how we can stop html frames from
being intercepted and blanked out when readers link to the
Jenkins-built
documentation.
Thanks,
-Rick
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
