[JENKINS-21881] Make X-Frame-Options configurable - Jenkins Jira

Details

Type: New Feature
Status: Resolved (View Workflow)
Priority: Minor
Resolution: Fixed
Component/s: core
Labels:
- api
- security

Similar Issues:

Show

Description

Jenkins 1.532.2 sets X-Frame-Options to sameorigin |https://github.com/cloudbees/hudson/commit/16931bd7bf7560e26ef98328b8e95e803d0e90f6]. While this prevents attacks via frame embedding, it also prevents any desirable embedding of Jenkins in a frame.

This should be configurable "somehow." Either via an extension point, or allowing PageDecorators to set the header property by changing the order of layout.jelly.

Attachments

Issue Links

is duplicated by

JENKINS-21842 Need a way to permit Jenkins to be visible in selected iframes

Resolved

JENKINS-22168 Jenkins does not work inside HTML frame's anymore

Resolved

is related to

JENKINS-22430 XFrame Filter Plugin forgets settings upon Jenkins restart

Resolved

links to

PR 1391

Activity

Ascending order - Click to sort in descending order

View 16 older comments

SCM/JIRA link daemon added a comment - 2014-09-13 12:14

Code changed in jenkins
User: Daniel Beck
Path:
core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java
core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly
core/src/main/resources/lib/layout/layout.jelly
http://jenkins-ci.org/commit/jenkins/fc78fdee9b7a95a6791d23575907cb3389363087
Log:
[FIXED JENKINS-21881] System property for disabling X-Frame-Options

SCM/JIRA link daemon added a comment - 2014-09-13 12:14 Code changed in jenkins User: Daniel Beck Path: core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly core/src/main/resources/lib/layout/layout.jelly http://jenkins-ci.org/commit/jenkins/fc78fdee9b7a95a6791d23575907cb3389363087 Log: [FIXED JENKINS-21881] System property for disabling X-Frame-Options

SCM/JIRA link daemon added a comment - 2014-09-13 12:14

Code changed in jenkins
User: Daniel Beck
Path:
test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java
http://jenkins-ci.org/commit/jenkins/3b5564a4abf8f8976d42ce11d7711cd7022b639b
Log:
~~JENKINS-21881~~ Add test

SCM/JIRA link daemon added a comment - 2014-09-13 12:14 Code changed in jenkins User: Daniel Beck Path: test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java http://jenkins-ci.org/commit/jenkins/3b5564a4abf8f8976d42ce11d7711cd7022b639b Log: JENKINS-21881 Add test

SCM/JIRA link daemon added a comment - 2014-09-13 12:15

Code changed in jenkins
User: Daniel Beck
Path:
core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java
core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly
core/src/main/resources/lib/layout/layout.jelly
test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java
http://jenkins-ci.org/commit/jenkins/852ba85c961499be716012e76ecbb1104a64091a
Log:
Merge pull request #1391 from daniel-beck/~~JENKINS-21881~~

[FIXED JENKINS-21881] System property for disabling X-Frame-Options

Compare: https://github.com/jenkinsci/jenkins/compare/598aea4307a7...852ba85c9614

SCM/JIRA link daemon added a comment - 2014-09-13 12:15 Code changed in jenkins User: Daniel Beck Path: core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly core/src/main/resources/lib/layout/layout.jelly test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java http://jenkins-ci.org/commit/jenkins/852ba85c961499be716012e76ecbb1104a64091a Log: Merge pull request #1391 from daniel-beck/ JENKINS-21881 [FIXED JENKINS-21881] System property for disabling X-Frame-Options Compare: https://github.com/jenkinsci/jenkins/compare/598aea4307a7...852ba85c9614

Daniel Beck added a comment - 2014-09-13 12:34

From 1.581 on, start Jenkins using java -Djenkins.security.FrameOptionsPageDecorator.enabled=false -jar jenkins.war (with -D before -jar) to get rid of the header.

Daniel Beck added a comment - 2014-09-13 12:34 From 1.581 on, start Jenkins using java -Djenkins.security.FrameOptionsPageDecorator.enabled=false -jar jenkins.war (with -D before -jar ) to get rid of the header.

dogfood added a comment - 2014-09-13 14:08

Integrated in jenkins_main_trunk #3677
[FIXED JENKINS-21881] System property for disabling X-Frame-Options (Revision fc78fdee9b7a95a6791d23575907cb3389363087)
~~JENKINS-21881~~ Add test (Revision 3b5564a4abf8f8976d42ce11d7711cd7022b639b)

Result = SUCCESS
daniel-beck : fc78fdee9b7a95a6791d23575907cb3389363087
Files :

core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly
core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java
core/src/main/resources/lib/layout/layout.jelly

daniel-beck : 3b5564a4abf8f8976d42ce11d7711cd7022b639b
Files :

test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java

dogfood added a comment - 2014-09-13 14:08 Integrated in jenkins_main_trunk #3677 [FIXED JENKINS-21881] System property for disabling X-Frame-Options (Revision fc78fdee9b7a95a6791d23575907cb3389363087) JENKINS-21881 Add test (Revision 3b5564a4abf8f8976d42ce11d7711cd7022b639b) Result = SUCCESS daniel-beck : fc78fdee9b7a95a6791d23575907cb3389363087 Files : core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java core/src/main/resources/lib/layout/layout.jelly daniel-beck : 3b5564a4abf8f8976d42ce11d7711cd7022b639b Files : test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java

Jenkins

Make X-Frame-Options configurable

Details

Description

Attachments

Issue Links

Activity

People

Dates