Status: Resolved (View Workflow)
Since the latest update to 1.551 none of our jenkins URLS are displayed in our JIRA Wallboard (using custom web page Gadget). The portion of the Wallboard is simply blank. Technically the JARI gagdet only inserts the pages by using an iframe. The URL is correct, but the page ist not displayed due to an HTML Option added in 1.551:
<st:header name="X-Frame-Options" value="sameorigin" />
Release Notes of 1.551:
SECURITY-80 is resaponsible for the change
This is the commit which introduced the new behaviour:
Yes the changes enhance the security, but both our JIRA and our JENKINS access is limited to our company LAN.
So we would recommend to add a security configuration setting for this to allow the usage of the jenkins pages within other Pages (e.g. JIRA Wallboards).
JENKINS-21881 Make X-Frame-Options configurable
I'm having the same issue here, and unfortunately the X-Frame-Filter plugin cannot help as it's adding another X-Frame-Options header. This plugin should use <st:setHeader ...> to replace the header content instead (https://github.com/stapler/stapler/blob/master/jelly/src/main/java/org/kohsuke/stapler/jelly/SetHeaderTag.java)
That of course does not solve this issue, seems stapler does not provide any tag to remove a header. And the HttpServletResponse API does not provide this ability too.
No, the xframe-filter-plugin won't help, sorry for misunderstanding.
I put this hint for how to integrate a configuration option into Jenkins.
The whole xframe-filter-plugin will be obsolete once this is done.
Ok thanks for the clarification and sorry for my misunderstanding then. I also vote in favor of a configuration parameter as proposed in x-frame-filter plugin.
I'm guessing it's related, but I can't use iframes in the Job Description any more after updating to 1.551.
Yes there ought to be a way to configure a set of frames which are to be permitted.
Code changed in jenkins
User: Jesse Glick
[FIXED JENKINS-21842] Use st:setHeader to overwrite any X-Frame-Options set by core.
Maybe in can be done like in the xframe-filter-plugin, what does the same as the change for SECURITY-80, but with configuration option.
See here for details: