• Icon: New Feature New Feature
    • Resolution: Fixed
    • Icon: Minor Minor
    • core

      Jenkins 1.532.2 sets X-Frame-Options to sameorigin |https://github.com/cloudbees/hudson/commit/16931bd7bf7560e26ef98328b8e95e803d0e90f6]. While this prevents attacks via frame embedding, it also prevents any desirable embedding of Jenkins in a frame.

      This should be configurable "somehow." Either via an extension point, or allowing PageDecorators to set the header property by changing the order of layout.jelly.

          [JENKINS-21881] Make X-Frame-Options configurable

          Ryan Campbell created issue -
          Jesse Glick made changes -
          Labels Original: lts-candidate New: api lts-candidate security
          Jesse Glick made changes -
          Link New: This issue is duplicated by JENKINS-21842 [ JENKINS-21842 ]
          Jesse Glick made changes -
          Link New: This issue is blocking SECURITY-80 [ SECURITY-80 ]
          Jesse Glick made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Daniel Beck made changes -
          Link New: This issue is duplicated by JENKINS-22168 [ JENKINS-22168 ]
          Timm Drevensek made changes -
          Link New: This issue is related to JENKINS-22430 [ JENKINS-22430 ]
          Daniel Beck made changes -
          Assignee New: Daniel Beck [ danielbeck ]
          Daniel Beck made changes -
          Remote Link New: This issue links to "PR 1391 (Web Link)" [ 11502 ]
          SCM/JIRA link daemon made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: In Progress [ 3 ] New: Resolved [ 5 ]
          Daniel Beck made changes -
          Labels Original: api lts-candidate security New: api security

            danielbeck Daniel Beck
            recampbell Ryan Campbell
            Votes:
            7 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated:
              Resolved: