Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-21842

Need a way to permit Jenkins to be visible in selected iframes

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • core

      Since the latest update to 1.551 none of our jenkins URLS are displayed in our JIRA Wallboard (using custom web page Gadget). The portion of the Wallboard is simply blank. Technically the JARI gagdet only inserts the pages by using an iframe. The URL is correct, but the page ist not displayed due to an HTML Option added in 1.551:
      {{{
      <st:header name="X-Frame-Options" value="sameorigin" />
      }}}

      Release Notes of 1.551:
      https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14
      SECURITY-80 is resaponsible for the change

      This is the commit which introduced the new behaviour:
      https://github.com/jenkinsci/jenkins/commit/16931bd7bf7560e26ef98328b8e95e803d0e90f6

      Yes the changes enhance the security, but both our JIRA and our JENKINS access is limited to our company LAN.

      So we would recommend to add a security configuration setting for this to allow the usage of the jenkins pages within other Pages (e.g. JIRA Wallboards).

          [JENKINS-21842] Need a way to permit Jenkins to be visible in selected iframes

          Maybe in can be done like in the xframe-filter-plugin, what does the same as the change for SECURITY-80, but with configuration option.

          See here for details:
          https://wiki.jenkins-ci.org/display/JENKINS/XFrame+Filter+Plugin

          Christian Matzat added a comment - Maybe in can be done like in the xframe-filter-plugin , what does the same as the change for SECURITY-80, but with configuration option. See here for details: https://wiki.jenkins-ci.org/display/JENKINS/XFrame+Filter+Plugin

          Reynald Borer added a comment -

          I'm having the same issue here, and unfortunately the X-Frame-Filter plugin cannot help as it's adding another X-Frame-Options header. This plugin should use <st:setHeader ...> to replace the header content instead (https://github.com/stapler/stapler/blob/master/jelly/src/main/java/org/kohsuke/stapler/jelly/SetHeaderTag.java)

          That of course does not solve this issue, seems stapler does not provide any tag to remove a header. And the HttpServletResponse API does not provide this ability too.

          Reynald Borer added a comment - I'm having the same issue here, and unfortunately the X-Frame-Filter plugin cannot help as it's adding another X-Frame-Options header. This plugin should use <st:setHeader ...> to replace the header content instead ( https://github.com/stapler/stapler/blob/master/jelly/src/main/java/org/kohsuke/stapler/jelly/SetHeaderTag.java ) That of course does not solve this issue, seems stapler does not provide any tag to remove a header. And the HttpServletResponse API does not provide this ability too.

          No, the xframe-filter-plugin won't help, sorry for misunderstanding.

          I put this hint for how to integrate a configuration option into Jenkins.
          The whole xframe-filter-plugin will be obsolete once this is done.

          Christian Matzat added a comment - No, the xframe-filter-plugin won't help, sorry for misunderstanding. I put this hint for how to integrate a configuration option into Jenkins. The whole xframe-filter-plugin will be obsolete once this is done.

          Reynald Borer added a comment -

          Ok thanks for the clarification and sorry for my misunderstanding then. I also vote in favor of a configuration parameter as proposed in x-frame-filter plugin.

          Reynald Borer added a comment - Ok thanks for the clarification and sorry for my misunderstanding then. I also vote in favor of a configuration parameter as proposed in x-frame-filter plugin.

          Jerry Del Gaudio added a comment - - edited

          I'm guessing it's related, but I can't use iframes in the Job Description any more after updating to 1.551.

          Jerry Del Gaudio added a comment - - edited I'm guessing it's related, but I can't use iframes in the Job Description any more after updating to 1.551.

          Jesse Glick added a comment -

          Yes there ought to be a way to configure a set of frames which are to be permitted.

          Jesse Glick added a comment - Yes there ought to be a way to configure a set of frames which are to be permitted.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          src/main/resources/org/jenkins/ci/plugins/xframe_filter/XFrameFilterPageDecorator/httpHeaders.jelly
          http://jenkins-ci.org/commit/xframe-filter-plugin/bce246d5f2b8bb38d3c7f9784a13e80746f46c88
          Log:
          [FIXED JENKINS-21842] Use st:setHeader to overwrite any X-Frame-Options set by core.

          Compare: https://github.com/jenkinsci/xframe-filter-plugin/compare/0df466a4f179...bce246d5f2b8

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/resources/org/jenkins/ci/plugins/xframe_filter/XFrameFilterPageDecorator/httpHeaders.jelly http://jenkins-ci.org/commit/xframe-filter-plugin/bce246d5f2b8bb38d3c7f9784a13e80746f46c88 Log: [FIXED JENKINS-21842] Use st:setHeader to overwrite any X-Frame-Options set by core. Compare: https://github.com/jenkinsci/xframe-filter-plugin/compare/0df466a4f179...bce246d5f2b8

            Unassigned Unassigned
            npfistner Norbert Pfistner
            Votes:
            1 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: