Details
-
New Feature
-
Status: Resolved (View Workflow)
-
Minor
-
Resolution: Fixed
Description
Jenkins 1.532.2 sets X-Frame-Options to sameorigin |https://github.com/cloudbees/hudson/commit/16931bd7bf7560e26ef98328b8e95e803d0e90f6]. While this prevents attacks via frame embedding, it also prevents any desirable embedding of Jenkins in a frame.
This should be configurable "somehow." Either via an extension point, or allowing PageDecorators to set the header property by changing the order of layout.jelly.
Attachments
Issue Links
- is duplicated by
-
JENKINS-21842 Need a way to permit Jenkins to be visible in selected iframes
-
- Resolved
-
-
-
- Resolved
-
- is related to
-
-
- Resolved
-
- links to
Activity
Code changed in jenkins
User: Jesse Glick
Path:
pom.xml
http://jenkins-ci.org/commit/xframe-filter-plugin/ba9635dbb1f3ce8a64ded546a4fc1c81199d3191
Log:
Updating to 1.532.2 so that SECURITY-80 / JENKINS-21881 can be tested.
http://jenkins-ci.org/commit/xframe-filter-plugin/bce246d5f2b8bb38d3c7f9784a13e80746f46c88 allows this plugin to override the X-Frame-Options header. So you could set it to ALLOW-FROM …URI… (not interpreted by all browsers), or maybe just set it to blank (TBD what that does).
Reynald Borer
added a comment - As Jesse said, setting the header to ALLOW-FROM URI is not supported by all browsers (at least Chrome and Safari does not support it), so I think a better option would be to have a way to disable this header in core directly instead, like the CSRF prevention.
Reynald Borer
added a comment - As Jesse said, setting the header to ALLOW-FROM URI is not supported by all browsers (at least Chrome and Safari does not support it), so I think a better option would be to have a way to disable this header in core directly instead, like the CSRF prevention. @rborer @npfistner have you tried using (a snapshot of) the XFrame Filter plugin and just setting the header to blank (the empty string)? This causes Jenkins to send the header but with a blank value. If that is handled the same as an unset header by major browsers then this would be the easiest option.
Otherwise I think we need an extension point in core with matching GlobalSecurityConfiguration UI with two implementations in core: current SAMEORIGIN as default, and no header with a warning about resulting vulnerabilities; the XFrame Filter plugin would offer a third implementation: a customizable header, and perhaps in the future the possibility to adjust the header dynamically according to User-Agent and/or Referer.
Reynald Borer
added a comment - @jglick setting a blank header seems to work for Chrome. It's a big hack IMHO, but at least it helps solving the issue 
Reynald Borer
added a comment - @jglick setting a blank header seems to work for Chrome. It's a big hack IMHO, but at least it helps solving the issue I published a 1.1 release of the XFrame Filter plugin as a quick fix for people affected by this issue. Leaving this open for a cleaner solution.
Is this really something that needs a solution in core, especially if there's already a plugin for it?
If so, why not provide an unrestricted "Raw HTML" markup formatter with core? It has legitimate use cases even though it's a bad idea for most installs – just like removing X-Frame-Options in core.
Is this really something that needs a solution in core, especially if there's already a plugin for it?
The problem is that the plugin cannot suppress the header entirely; it can only set the header value to the empty string. Which seems to work in practice but might be illegal. So something ought to be done in core. This could be minimal, as in recognizing a system property to suppress its normal behavior that the plugin would set; but that is also a hack from a design perspective—generally we prefer to have behavior driven by extension points, with plugins adding options according to a documented SPI.
Right, no HttpServletResponse.removeHeader(String) and the X-Frame-Options header does not seem to have an explicit value for default behavior.
Content-Security-Policy seems to allow setting a value that allows everything (default-src *). Maybe this would be a solution going forward; setting a strict default, and allowing customization in a plugin? Browser Support also seems to be good.
That indeed looks like the right header to use going forward. http://www.w3.org/TR/CSP/#content-security-policy-header-field notes that multiple such headers are all enforced, but that should not force the introduction of an API since st:setHeader overrides an existing single header.
Actually, I was probably wrong.
X-Frame-Options specified how the current site might be embedded, while Content-Security-Policy specifies what the current site is allowed to embed. So X-Frame-Options protected against users visiting rogue sites embedding Jenkins, while Content-Security-Policy protects against Jenkins embedding malicious bits.
While there's still the sandbox attribute, I'm not sure what its effect is.
After adding the plugin and unticking the Send X-Frame-Options, I can now load Jenkins from within an iframe on IE, but not Firefox or Chrome.
If you are within a sealed corporate environment, you will not need this feature because it will only cause you trouble
Code changed in jenkins
User: Daniel Beck
Path:
core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java
core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly
core/src/main/resources/lib/layout/layout.jelly
http://jenkins-ci.org/commit/jenkins/fc78fdee9b7a95a6791d23575907cb3389363087
Log:
[FIXED JENKINS-21881] System property for disabling X-Frame-Options
Code changed in jenkins
User: Daniel Beck
Path:
test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java
http://jenkins-ci.org/commit/jenkins/3b5564a4abf8f8976d42ce11d7711cd7022b639b
Log:
JENKINS-21881 Add test
Code changed in jenkins
User: Daniel Beck
Path:
core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java
core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly
core/src/main/resources/lib/layout/layout.jelly
test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java
http://jenkins-ci.org/commit/jenkins/852ba85c961499be716012e76ecbb1104a64091a
Log:
Merge pull request #1391 from daniel-beck/JENKINS-21881
[FIXED JENKINS-21881] System property for disabling X-Frame-Options
Compare: https://github.com/jenkinsci/jenkins/compare/598aea4307a7...852ba85c9614
From 1.581 on, start Jenkins using java -Djenkins.security.FrameOptionsPageDecorator.enabled=false -jar jenkins.war (with -D before -jar) to get rid of the header.
Integrated in 
jenkins_main_trunk #3677
[FIXED JENKINS-21881] System property for disabling X-Frame-Options (Revision fc78fdee9b7a95a6791d23575907cb3389363087)
JENKINS-21881 Add test (Revision 3b5564a4abf8f8976d42ce11d7711cd7022b639b)
Result = SUCCESS
daniel-beck : fc78fdee9b7a95a6791d23575907cb3389363087
Files :
- core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly
- core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java
- core/src/main/resources/lib/layout/layout.jelly
daniel-beck : 3b5564a4abf8f8976d42ce11d7711cd7022b639b
Files :
- test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java
Need to check whether https://github.com/jenkinsci/xframe-filter-plugin/blob/master/src/main/resources/org/jenkins/ci/plugins/xframe_filter/XFrameFilterPageDecorator/httpHeaders.jelly works, or could be made to work.