Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-41891

Serve static files from second domain as an alternative to setting CSP

    XMLWordPrintable

Details

    • jenkins-2.200

    Description

      Dealing with Content-Security-Policy is just too annoying, and there's too many plugins trying to just serve static files in Jenkins, often for no real reason.

      We need second domain support for static resources (DirectoryBrowserSupport) such that accessing that is possible without authentication, just with a token, and that token is used for linked resources as well.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-59849 Spaces don't work in resource root paths

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. JENKINS-59874 Support resource domain

          • Major - Major loss of function.
          • Open
          links to

          Web Link CloudBees-internal issue

          Web Link PR 4239

          Activity

            Ascending order - Click to sort in descending order
            View 35 older comments
            sagarraju456 Sagar added a comment -

            Hi All, we are using a performance tool that generated html content based on the jinja templates and we want to publish those inside Jenkins.

            The html content is not displayed properly, I understand that its due to Content Security Policy. When I tried to run some commands like System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", ""), still the html content is not displayed properly. Does it need a jenkins restart ?
            Now here comes the question of resoure root URL. I have these files generated and archived inside the Jenkins workspace. What should be the URL I need to provide ?
            When I open the html in the browser its pointing to the location in which its present but not any particular website.

            Can some one please help ?

            sagarraju456 Sagar added a comment - Hi All, we are using a performance tool that generated html content based on the jinja templates and we want to publish those inside Jenkins. The html content is not displayed properly, I understand that its due to Content Security Policy. When I tried to run some commands like System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", ""), still the html content is not displayed properly. Does it need a jenkins restart ? Now here comes the question of resoure root URL. I have these files generated and archived inside the Jenkins workspace. What should be the URL I need to provide ? When I open the html in the browser its pointing to the location in which its present but not any particular website. Can some one please help ?
            kon Kalle Niemitalo added a comment - - edited

            I don’t think changing the property value needs a Jenkins restart. DirectoryBrowserSupport rereads it every time: https://github.com/jenkinsci/jenkins/blob/f48c5f552f72485658c1c98482b42ae42ed1ee8c/core/src/main/java/hudson/model/DirectoryBrowserSupport.java#L380

            You could use the developer features of the web browser to check whether the HTTP response still has a Content-Security-Policy header and what kind.

            kon Kalle Niemitalo added a comment - - edited I don’t think changing the property value needs a Jenkins restart. DirectoryBrowserSupport rereads it every time: https://github.com/jenkinsci/jenkins/blob/f48c5f552f72485658c1c98482b42ae42ed1ee8c/core/src/main/java/hudson/model/DirectoryBrowserSupport.java#L380 You could use the developer features of the web browser to check whether the HTTP response still has a Content-Security-Policy header and what kind.
            sagarraju456 Sagar added a comment -

            kon Thank for your response. I was also looking at second option of configuring resource root url. But what is the resource root URL. for the html files which were generated and available in Jenkins workspace ?

            To keep it simple, how to generate the resource root URL for static files or html files present in the Jenkins workspace ?

            sagarraju456 Sagar added a comment - kon Thank for your response. I was also looking at second option of configuring resource root url. But what is the resource root URL. for the html files which were generated and available in Jenkins workspace ? To keep it simple, how to generate the resource root URL for static files or html files present in the Jenkins workspace ?
            kon Kalle Niemitalo added a comment - - edited

            I don’t really have experience with the resource root URL setting, but from what I understand, you don’t “generate” it; rather, you register another hostname in DNS, pointing to your Jenkins controller host, and configure that as the resource root in Jenkins. Then when a user tries to access “untrusted” files (such as files in workspaces) with a Web browser, Jenkins redirects to a URL within the resource root and serves the file from there.

            So, you should talk about the resource hostname with the people who maintain your DNS. They might decide that you need to use a separate second-level domain (like GitHub has github.com for its own UI but githubusercontent.com for untrusted files). Jenkins does not mandate such a strict separation and would be happy with a subdomain for the resources, but perhaps your corporate network has some other web servers that need to be protected from potentially malicious scripts in untrusted files that Jenkins serves under the resource root URL.

            kon Kalle Niemitalo added a comment - - edited I don’t really have experience with the resource root URL setting, but from what I understand, you don’t “generate” it; rather, you register another hostname in DNS, pointing to your Jenkins controller host, and configure that as the resource root in Jenkins. Then when a user tries to access “untrusted” files (such as files in workspaces) with a Web browser, Jenkins redirects to a URL within the resource root and serves the file from there. So, you should talk about the resource hostname with the people who maintain your DNS. They might decide that you need to use a separate second-level domain (like GitHub has github.com for its own UI but githubusercontent.com for untrusted files). Jenkins does not mandate such a strict separation and would be happy with a subdomain for the resources, but perhaps your corporate network has some other web servers that need to be protected from potentially malicious scripts in untrusted files that Jenkins serves under the resource root URL.
            danielbeck Daniel Beck added a comment -

            This is an issue tracker, please ask development questions on the dev list to a much larger audience.

            danielbeck Daniel Beck added a comment - This is an issue tracker, please ask development questions on the dev list to a much larger audience.

            People

              danielbeck Daniel Beck
              danielbeck Daniel Beck
              Votes:
              2 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: