On 03.02.2015, at 16:29, Wt Riker <[email protected]> wrote: > The link is: > > http://jenkins.server.com:8080/static/452bd4e7/scripts/yui/connection/connection-min.js
Better readable file: https://github.com/jenkinsci/jenkins/blob/master/war/src/main/webapp/scripts/yui/connection/connection-debug.js#L1046 It's part of the YUI library and used to enable cross-domain requests. According to https://helpx.adobe.com/flash-player/kb/changes-allowscriptaccess-default-flash-player.html doing this requires AllowScriptAccess 'always'. > It protects an HTML file from a potentially untrusted SWF file, by > controlling the ability of that SWF file to call JavaScript code in the > surrounding HTML file. AllowScriptAccess has three possible values: "always", > "sameDomain", and "never". I'm not a Flash expert, but as the SWF file used here is connection.swf from the same library (YUI) and should be trusted, and any embedding only happens for deliberate cross-domain requests, this doesn't seem to be a real issue. If you have further information that shows this is an actual problem, please submit a report with further information to the SECURITY project in Jira. https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories#SecurityAdvisories-ReportSecurityProblems https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/3D4C5CEB-A326-4EC3-BE8E-4F77E250D31B%40beckweb.net. For more options, visit https://groups.google.com/d/optout.
