• Icon: New Feature New Feature
    • Resolution: Fixed
    • Icon: Minor Minor
    • core

      Jenkins 1.532.2 sets X-Frame-Options to sameorigin |https://github.com/cloudbees/hudson/commit/16931bd7bf7560e26ef98328b8e95e803d0e90f6]. While this prevents attacks via frame embedding, it also prevents any desirable embedding of Jenkins in a frame.

      This should be configurable "somehow." Either via an extension point, or allowing PageDecorators to set the header property by changing the order of layout.jelly.

          [JENKINS-21881] Make X-Frame-Options configurable

          Jesse Glick added a comment -

          Jesse Glick added a comment - Need to check whether https://github.com/jenkinsci/xframe-filter-plugin/blob/master/src/main/resources/org/jenkins/ci/plugins/xframe_filter/XFrameFilterPageDecorator/httpHeaders.jelly works, or could be made to work.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          pom.xml
          http://jenkins-ci.org/commit/xframe-filter-plugin/ba9635dbb1f3ce8a64ded546a4fc1c81199d3191
          Log:
          Updating to 1.532.2 so that SECURITY-80 / JENKINS-21881 can be tested.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml http://jenkins-ci.org/commit/xframe-filter-plugin/ba9635dbb1f3ce8a64ded546a4fc1c81199d3191 Log: Updating to 1.532.2 so that SECURITY-80 / JENKINS-21881 can be tested.

          Jesse Glick added a comment -

          http://jenkins-ci.org/commit/xframe-filter-plugin/bce246d5f2b8bb38d3c7f9784a13e80746f46c88 allows this plugin to override the X-Frame-Options header. So you could set it to ALLOW-FROM …URI… (not interpreted by all browsers), or maybe just set it to blank (TBD what that does).

          Jesse Glick added a comment - http://jenkins-ci.org/commit/xframe-filter-plugin/bce246d5f2b8bb38d3c7f9784a13e80746f46c88 allows this plugin to override the X-Frame-Options header. So you could set it to ALLOW-FROM …URI… (not interpreted by all browsers), or maybe just set it to blank (TBD what that does).

          Reynald Borer added a comment -

          As Jesse said, setting the header to ALLOW-FROM URI is not supported by all browsers (at least Chrome and Safari does not support it), so I think a better option would be to have a way to disable this header in core directly instead, like the CSRF prevention.

          Reynald Borer added a comment - As Jesse said, setting the header to ALLOW-FROM URI is not supported by all browsers (at least Chrome and Safari does not support it), so I think a better option would be to have a way to disable this header in core directly instead, like the CSRF prevention.

          Jesse Glick added a comment -

          @rborer @npfistner have you tried using (a snapshot of) the XFrame Filter plugin and just setting the header to blank (the empty string)? This causes Jenkins to send the header but with a blank value. If that is handled the same as an unset header by major browsers then this would be the easiest option.

          Otherwise I think we need an extension point in core with matching GlobalSecurityConfiguration UI with two implementations in core: current SAMEORIGIN as default, and no header with a warning about resulting vulnerabilities; the XFrame Filter plugin would offer a third implementation: a customizable header, and perhaps in the future the possibility to adjust the header dynamically according to User-Agent and/or Referer.

          Jesse Glick added a comment - @rborer @npfistner have you tried using (a snapshot of) the XFrame Filter plugin and just setting the header to blank (the empty string)? This causes Jenkins to send the header but with a blank value. If that is handled the same as an unset header by major browsers then this would be the easiest option. Otherwise I think we need an extension point in core with matching GlobalSecurityConfiguration UI with two implementations in core: current SAMEORIGIN as default, and no header with a warning about resulting vulnerabilities; the XFrame Filter plugin would offer a third implementation: a customizable header, and perhaps in the future the possibility to adjust the header dynamically according to User-Agent and/or Referer .

          Reynald Borer added a comment -

          @jglick setting a blank header seems to work for Chrome. It's a big hack IMHO, but at least it helps solving the issue

          Reynald Borer added a comment - @jglick setting a blank header seems to work for Chrome. It's a big hack IMHO, but at least it helps solving the issue

          Jesse Glick added a comment -

          I published a 1.1 release of the XFrame Filter plugin as a quick fix for people affected by this issue. Leaving this open for a cleaner solution.

          Jesse Glick added a comment - I published a 1.1 release of the XFrame Filter plugin as a quick fix for people affected by this issue. Leaving this open for a cleaner solution.

          Daniel Beck added a comment -

          Is this really something that needs a solution in core, especially if there's already a plugin for it?

          If so, why not provide an unrestricted "Raw HTML" markup formatter with core? It has legitimate use cases even though it's a bad idea for most installs – just like removing X-Frame-Options in core.

          Daniel Beck added a comment - Is this really something that needs a solution in core, especially if there's already a plugin for it? If so, why not provide an unrestricted "Raw HTML" markup formatter with core? It has legitimate use cases even though it's a bad idea for most installs – just like removing X-Frame-Options in core.

          Jesse Glick added a comment -

          Is this really something that needs a solution in core, especially if there's already a plugin for it?

          The problem is that the plugin cannot suppress the header entirely; it can only set the header value to the empty string. Which seems to work in practice but might be illegal. So something ought to be done in core. This could be minimal, as in recognizing a system property to suppress its normal behavior that the plugin would set; but that is also a hack from a design perspective—generally we prefer to have behavior driven by extension points, with plugins adding options according to a documented SPI.

          Jesse Glick added a comment - Is this really something that needs a solution in core, especially if there's already a plugin for it? The problem is that the plugin cannot suppress the header entirely; it can only set the header value to the empty string. Which seems to work in practice but might be illegal. So something ought to be done in core. This could be minimal, as in recognizing a system property to suppress its normal behavior that the plugin would set; but that is also a hack from a design perspective—generally we prefer to have behavior driven by extension points, with plugins adding options according to a documented SPI.

          Daniel Beck added a comment -

          Right, no HttpServletResponse.removeHeader(String) and the X-Frame-Options header does not seem to have an explicit value for default behavior.

          Daniel Beck added a comment - Right, no HttpServletResponse.removeHeader(String) and the X-Frame-Options header does not seem to have an explicit value for default behavior.

          Daniel Beck added a comment -

          Content-Security-Policy seems to allow setting a value that allows everything (default-src *). Maybe this would be a solution going forward; setting a strict default, and allowing customization in a plugin? Browser Support also seems to be good.

          Daniel Beck added a comment - Content-Security-Policy seems to allow setting a value that allows everything ( default-src * ). Maybe this would be a solution going forward; setting a strict default, and allowing customization in a plugin? Browser Support also seems to be good.

          Jesse Glick added a comment -

          That indeed looks like the right header to use going forward. http://www.w3.org/TR/CSP/#content-security-policy-header-field notes that multiple such headers are all enforced, but that should not force the introduction of an API since st:setHeader overrides an existing single header.

          Jesse Glick added a comment - That indeed looks like the right header to use going forward. http://www.w3.org/TR/CSP/#content-security-policy-header-field notes that multiple such headers are all enforced, but that should not force the introduction of an API since st:setHeader overrides an existing single header.

          Daniel Beck added a comment -

          Actually, I was probably wrong.

          X-Frame-Options specified how the current site might be embedded, while Content-Security-Policy specifies what the current site is allowed to embed. So X-Frame-Options protected against users visiting rogue sites embedding Jenkins, while Content-Security-Policy protects against Jenkins embedding malicious bits.

          While there's still the sandbox attribute, I'm not sure what its effect is.

          Daniel Beck added a comment - Actually, I was probably wrong. X-Frame-Options specified how the current site might be embedded, while Content-Security-Policy specifies what the current site is allowed to embed. So X-Frame-Options protected against users visiting rogue sites embedding Jenkins, while Content-Security-Policy protects against Jenkins embedding malicious bits. While there's still the sandbox attribute, I'm not sure what its effect is.

          Stuart Whelan added a comment -

          After adding the plugin and unticking the Send X-Frame-Options, I can now load Jenkins from within an iframe on IE, but not Firefox or Chrome.

          Stuart Whelan added a comment - After adding the plugin and unticking the Send X-Frame-Options, I can now load Jenkins from within an iframe on IE, but not Firefox or Chrome.

          If you are within a sealed corporate environment, you will not need this feature because it will only cause you trouble

          Timm Drevensek added a comment - If you are within a sealed corporate environment, you will not need this feature because it will only cause you trouble

          Timm Drevensek added a comment - - edited

          This is the bypass this "feature" but it's broken! JENKINS-22430

          Timm Drevensek added a comment - - edited This is the bypass this "feature" but it's broken! JENKINS-22430

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java
          core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly
          core/src/main/resources/lib/layout/layout.jelly
          http://jenkins-ci.org/commit/jenkins/fc78fdee9b7a95a6791d23575907cb3389363087
          Log:
          [FIXED JENKINS-21881] System property for disabling X-Frame-Options

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly core/src/main/resources/lib/layout/layout.jelly http://jenkins-ci.org/commit/jenkins/fc78fdee9b7a95a6791d23575907cb3389363087 Log: [FIXED JENKINS-21881] System property for disabling X-Frame-Options

          Code changed in jenkins
          User: Daniel Beck
          Path:
          test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java
          http://jenkins-ci.org/commit/jenkins/3b5564a4abf8f8976d42ce11d7711cd7022b639b
          Log:
          JENKINS-21881 Add test

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java http://jenkins-ci.org/commit/jenkins/3b5564a4abf8f8976d42ce11d7711cd7022b639b Log: JENKINS-21881 Add test

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java
          core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly
          core/src/main/resources/lib/layout/layout.jelly
          test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java
          http://jenkins-ci.org/commit/jenkins/852ba85c961499be716012e76ecbb1104a64091a
          Log:
          Merge pull request #1391 from daniel-beck/JENKINS-21881

          [FIXED JENKINS-21881] System property for disabling X-Frame-Options

          Compare: https://github.com/jenkinsci/jenkins/compare/598aea4307a7...852ba85c9614

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly core/src/main/resources/lib/layout/layout.jelly test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java http://jenkins-ci.org/commit/jenkins/852ba85c961499be716012e76ecbb1104a64091a Log: Merge pull request #1391 from daniel-beck/ JENKINS-21881 [FIXED JENKINS-21881] System property for disabling X-Frame-Options Compare: https://github.com/jenkinsci/jenkins/compare/598aea4307a7...852ba85c9614

          Daniel Beck added a comment -

          From 1.581 on, start Jenkins using java -Djenkins.security.FrameOptionsPageDecorator.enabled=false -jar jenkins.war (with -D before -jar) to get rid of the header.

          Daniel Beck added a comment - From 1.581 on, start Jenkins using java -Djenkins.security.FrameOptionsPageDecorator.enabled=false -jar jenkins.war (with -D before -jar ) to get rid of the header.

          dogfood added a comment -

          Integrated in jenkins_main_trunk #3677
          [FIXED JENKINS-21881] System property for disabling X-Frame-Options (Revision fc78fdee9b7a95a6791d23575907cb3389363087)
          JENKINS-21881 Add test (Revision 3b5564a4abf8f8976d42ce11d7711cd7022b639b)

          Result = SUCCESS
          daniel-beck : fc78fdee9b7a95a6791d23575907cb3389363087
          Files :

          • core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly
          • core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java
          • core/src/main/resources/lib/layout/layout.jelly

          daniel-beck : 3b5564a4abf8f8976d42ce11d7711cd7022b639b
          Files :

          • test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java

          dogfood added a comment - Integrated in jenkins_main_trunk #3677 [FIXED JENKINS-21881] System property for disabling X-Frame-Options (Revision fc78fdee9b7a95a6791d23575907cb3389363087) JENKINS-21881 Add test (Revision 3b5564a4abf8f8976d42ce11d7711cd7022b639b) Result = SUCCESS daniel-beck : fc78fdee9b7a95a6791d23575907cb3389363087 Files : core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java core/src/main/resources/lib/layout/layout.jelly daniel-beck : 3b5564a4abf8f8976d42ce11d7711cd7022b639b Files : test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java

            danielbeck Daniel Beck
            recampbell Ryan Campbell
            Votes:
            7 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated:
              Resolved: