jenkins 默认 的 内容 安全 策略 当前 被 使用 hudson . model . DirectoryBrowserSupport . CSP 问题 覆盖

yh2wf1be  于 2022-11-21  发布在  Jenkins
关注(0)|答案(2)|浏览(423)

将Jenkins升级到v2.222.1后,我们收到以下警告消息

The default Content-Security-Policy is currently overridden using the hudson.model.DirectoryBrowserSupport.CSP system property, which is a potential security issue when browsing untrusted files. As an alternative, you can set up a Resource Root URL that Jenkins will use to serve some static files without adding Content-Security-Policy headers.

我们不希望有单独的源来提供静态内容,同时这个警告必须得到解决,很高兴提供您的建议。

oo7oh9g9

oo7oh9g91#

默认情况下,当您使用HTML Publisher插件发布任何报表时,不会显示CSS内容。Jenkins根据CSP(内容安全策略)阻止CSS。
参考:https://www.jenkins.io/doc/book/system-administration/security/configuring-content-security-policy/
启用CSS内容:Manage Jenkins -> Script Console并执行System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "")
启用CSS时,您会收到以下警告The default Content-Security-Policy is currently overridden using the hudson.model.DirectoryBrowserSupport.CSP system property, which is a potential security issue when browsing untrusted files.
要禁用它,只需重新启动Jenkins服务器。CSP将再次设置为默认值。

kiz8lqtg

kiz8lqtg2#

请求.css或.js时,可能会出现以下消息(blocked:csp)

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-Epaif2cHkSx/K62AHKClT5geuHQeilAdJVvUuNPdcuw='), or a nonce ('nonce-...') is required to enable inline execution.

在这种情况下,您应该这样处理。暂时放宽内容安全策略。转到Manage Jenkins -> Script Console并在控制台中键入以下命令:

System.clearProperty("hudson.model.DirectoryBrowserSupport.CSP");
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-same-origin allow-scripts; default-src *; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval' ; font-src * data: ");

相关问题