• Icon: New Feature New Feature
    • Resolution: Fixed
    • Icon: Minor Minor
    • core

      Jenkins 1.532.2 sets X-Frame-Options to sameorigin |https://github.com/cloudbees/hudson/commit/16931bd7bf7560e26ef98328b8e95e803d0e90f6]. While this prevents attacks via frame embedding, it also prevents any desirable embedding of Jenkins in a frame.

      This should be configurable "somehow." Either via an extension point, or allowing PageDecorators to set the header property by changing the order of layout.jelly.

          [JENKINS-21881] Make X-Frame-Options configurable

          Jesse Glick added a comment -

          That indeed looks like the right header to use going forward. http://www.w3.org/TR/CSP/#content-security-policy-header-field notes that multiple such headers are all enforced, but that should not force the introduction of an API since st:setHeader overrides an existing single header.

          Jesse Glick added a comment - That indeed looks like the right header to use going forward. http://www.w3.org/TR/CSP/#content-security-policy-header-field notes that multiple such headers are all enforced, but that should not force the introduction of an API since st:setHeader overrides an existing single header.

          Daniel Beck added a comment -

          Actually, I was probably wrong.

          X-Frame-Options specified how the current site might be embedded, while Content-Security-Policy specifies what the current site is allowed to embed. So X-Frame-Options protected against users visiting rogue sites embedding Jenkins, while Content-Security-Policy protects against Jenkins embedding malicious bits.

          While there's still the sandbox attribute, I'm not sure what its effect is.

          Daniel Beck added a comment - Actually, I was probably wrong. X-Frame-Options specified how the current site might be embedded, while Content-Security-Policy specifies what the current site is allowed to embed. So X-Frame-Options protected against users visiting rogue sites embedding Jenkins, while Content-Security-Policy protects against Jenkins embedding malicious bits. While there's still the sandbox attribute, I'm not sure what its effect is.

          Stuart Whelan added a comment -

          After adding the plugin and unticking the Send X-Frame-Options, I can now load Jenkins from within an iframe on IE, but not Firefox or Chrome.

          Stuart Whelan added a comment - After adding the plugin and unticking the Send X-Frame-Options, I can now load Jenkins from within an iframe on IE, but not Firefox or Chrome.

          If you are within a sealed corporate environment, you will not need this feature because it will only cause you trouble

          Timm Drevensek added a comment - If you are within a sealed corporate environment, you will not need this feature because it will only cause you trouble

          Timm Drevensek added a comment - - edited

          This is the bypass this "feature" but it's broken! JENKINS-22430

          Timm Drevensek added a comment - - edited This is the bypass this "feature" but it's broken! JENKINS-22430

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java
          core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly
          core/src/main/resources/lib/layout/layout.jelly
          http://jenkins-ci.org/commit/jenkins/fc78fdee9b7a95a6791d23575907cb3389363087
          Log:
          [FIXED JENKINS-21881] System property for disabling X-Frame-Options

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly core/src/main/resources/lib/layout/layout.jelly http://jenkins-ci.org/commit/jenkins/fc78fdee9b7a95a6791d23575907cb3389363087 Log: [FIXED JENKINS-21881] System property for disabling X-Frame-Options

          Code changed in jenkins
          User: Daniel Beck
          Path:
          test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java
          http://jenkins-ci.org/commit/jenkins/3b5564a4abf8f8976d42ce11d7711cd7022b639b
          Log:
          JENKINS-21881 Add test

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java http://jenkins-ci.org/commit/jenkins/3b5564a4abf8f8976d42ce11d7711cd7022b639b Log: JENKINS-21881 Add test

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java
          core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly
          core/src/main/resources/lib/layout/layout.jelly
          test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java
          http://jenkins-ci.org/commit/jenkins/852ba85c961499be716012e76ecbb1104a64091a
          Log:
          Merge pull request #1391 from daniel-beck/JENKINS-21881

          [FIXED JENKINS-21881] System property for disabling X-Frame-Options

          Compare: https://github.com/jenkinsci/jenkins/compare/598aea4307a7...852ba85c9614

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly core/src/main/resources/lib/layout/layout.jelly test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java http://jenkins-ci.org/commit/jenkins/852ba85c961499be716012e76ecbb1104a64091a Log: Merge pull request #1391 from daniel-beck/ JENKINS-21881 [FIXED JENKINS-21881] System property for disabling X-Frame-Options Compare: https://github.com/jenkinsci/jenkins/compare/598aea4307a7...852ba85c9614

          Daniel Beck added a comment -

          From 1.581 on, start Jenkins using java -Djenkins.security.FrameOptionsPageDecorator.enabled=false -jar jenkins.war (with -D before -jar) to get rid of the header.

          Daniel Beck added a comment - From 1.581 on, start Jenkins using java -Djenkins.security.FrameOptionsPageDecorator.enabled=false -jar jenkins.war (with -D before -jar ) to get rid of the header.

          dogfood added a comment -

          Integrated in jenkins_main_trunk #3677
          [FIXED JENKINS-21881] System property for disabling X-Frame-Options (Revision fc78fdee9b7a95a6791d23575907cb3389363087)
          JENKINS-21881 Add test (Revision 3b5564a4abf8f8976d42ce11d7711cd7022b639b)

          Result = SUCCESS
          daniel-beck : fc78fdee9b7a95a6791d23575907cb3389363087
          Files :

          • core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly
          • core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java
          • core/src/main/resources/lib/layout/layout.jelly

          daniel-beck : 3b5564a4abf8f8976d42ce11d7711cd7022b639b
          Files :

          • test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java

          dogfood added a comment - Integrated in jenkins_main_trunk #3677 [FIXED JENKINS-21881] System property for disabling X-Frame-Options (Revision fc78fdee9b7a95a6791d23575907cb3389363087) JENKINS-21881 Add test (Revision 3b5564a4abf8f8976d42ce11d7711cd7022b639b) Result = SUCCESS daniel-beck : fc78fdee9b7a95a6791d23575907cb3389363087 Files : core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java core/src/main/resources/lib/layout/layout.jelly daniel-beck : 3b5564a4abf8f8976d42ce11d7711cd7022b639b Files : test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java

            danielbeck Daniel Beck
            recampbell Ryan Campbell
            Votes:
            7 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated:
              Resolved: