发表新帖
发表新帖

Jenkins Content Security Policy

后端 未结
关注
6 1077
逝去的感伤
逝去的感伤 2020-12-04 16:00

I\'m confused about Jenkins Content Security Policy.

I know these sites:

  • Configuring Content Security Policy
  • Content Security Policy Reference
相关标签:
6条回答
  • 清歌不尽
    2020-12-04 16:11

    Trying to share my procedures I always follow one of theseworkarounds. However you need to pay attention to your security constraints since applying these fixes would be potentially insecure.

    1. Temporal fix:

    Go to Jenkins console and applythe following commands depending on the kind of CSP policies relaxation that you want.

    System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts; default-src 'self'; style-src 'self' 'unsafe-inline'; script-src * 'unsafe-inline';")

    This workaround is aimed for temporal tests or dev environment.

    If you want to change it permanently add this to the java command when you run the application:

    -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-scripts; default-src 'self'; style-src 'self' 'unsafe-inline';"

    Finally I strongly suggest you to read these articles:

    Official Jenkins documentation https://wiki.jenkins.io/display/JENKINS/Configuring+Content+Security+Policy

    Workarounds to reset CSP rules temporary or permanently: https://www.cyotek.com/blog/adjusting-the-jenkins-content-security-policy

    0 讨论(0)
  • 长情又很酷
    2020-12-04 16:13

    Below properties worked for me. The following properties allow all the external servers.

    System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';")
    0 讨论(0)
  • 南笙
    2020-12-04 16:15

    While experimenting, I recommend using the Script Console to adjust the CSP parameter dynamically as described on the Configuring Content Security Policy page. (There's another note in the Jenkins wiki page that indicates you may need to Force Reload the page to see the new settings.)

    In order to use both inline styles and local stylesheets, you need to add both self and unsafe-inline:

    System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; style-src 'self' 'unsafe-inline';")

    Depending on how the progressbar is manipulated, you may need to adjust 'script-src' in the same way as well.

    Once you find a setting that works, you can adjust the Jenkins startup script to add the CSP parameter definition.

    0 讨论(0)
  • 说谎
    2020-12-04 16:26

    I too had a similar issue. The below solution worked for me.

    java -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-scripts allow-popups allow-popups-to-escape-sandbox; style-src 'unsafe-inline' *;" -Dsvnkit.http.sslProtocols=TLSv1 -jar C:/server/Jenkins.war --httpPort=8280
    0 讨论(0)
  • 情话喂你
    2020-12-04 16:30

    To add more to the @Kirill's answer ...

    If jenkins is deployed in tomcat container, set the CATALINA_OPTS environment value in setenv.sh file ( Present in ${CATALINA_BASE}/bin Folder ) as highlighted below:-

    export CATALINA_OPTS="-Xmx2048m -Xms2048m -XX:MaxNewSize=768m -XX:-HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=${CATALINA_BASE}/logs/java.hprof -XX:ParallelGCThreads=2 -XX:-UseConcMarkSweepGC -Dcom.sun.management.jmxremote -Dhudson.model.DirectoryBrowserSupport.CSP=\"\"

    or 

    export CATALINA_OPTS="-Xmx2048m -Xms2048m -XX:MaxNewSize=768m -XX:-HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/software/jenkins/tomcat_jenkins/logs/java.hprof -XX:ParallelGCThreads=2 -XX:-UseConcMarkSweepGC -Dcom.sun.management.jmxremote -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-scripts; default-src 'self'; script-src *; 'unsafe-eval'; img-src *; style-src *; 'unsafe-inline'; font-src *;\

    After Changing the above file, restart the tomcat. It worked like charm to me. Hope it helps :)

    Note:- CSP is only applicable for the plugins like HTML publisher, maven plugin . It didn't work for email html file.

    0 讨论(0)
  • 清歌不尽
    2020-12-04 16:32

    Just to be clear about setting this CSP property permanently on Jenkins.

    If you are running Jenkins on Ubuntu:

    1. $ vim /etc/default/jenkins
    2. Find the line with JAVA_ARGS and add the CSP policy like this: JAVA_ARGS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src data:;\""

    If you are running Jenkins on CentOS:

    1. $ vim /etc/sysconfig/jenkins
    2. Find the line with JENKINS_JAVA_OPTIONS and add the CSP policy like this: JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src data:;\""

    Save the file and restart Jenkins. $ sudo service jenkins restart or in your browser http://localhost:8080/safeRestart

    0 讨论(0)
 看不清?
提交回复
热议问题