Content-Security-Policy in Jenkins

[Boris Serdiuk]

Hello! 

Since Jenkins 1.625.3 you added Content-Security-Policy header for some content from plugins. I understand the reason to do it, but it breaks a lot of use-cases. 

I am developer of Allure Framework, it is the thing to better test reports. We have Allure Jenkins Plugin, so some of our users are also Jenkins users. And since that security fix we have got a lot of bug reports about it:

https://github.com/allure-framework/allure-core/issues/715

https://github.com/allure-framework/allure-core/issues/717

https://github.com/allure-framework/allure-core/issues/729

Also, there are more questions about it in our Gitter chat. People just not understand what is going on. We can't get rid of use Javascript in our framework, so I have to explain again and again what users should do.

Do you have any announcement or migration guide where I can redirect my users? Also, I looking for a better way to relax content security via UI rather than change configuration properties in the file. 

[Daniel Beck]

On 08.01.2016, at 11:49, Boris Serdiuk <djbo...@gmail.com> wrote:

> Do you have any announcement or migration guide where I can redirect my users?

Choose any of these, the full documentation is at most two clicks away:

Security advisory announcement:
https://groups.google.com/d/msg/jenkinsci-advisories/Zy8yMkQfld4/a8lkB_DUDQAJ

Announcement blog post:
https://jenkins-ci.org/blog/2015/12/09/security-updates-released-today/

Regular changelog links to advisory:
https://jenkins-ci.org/changelog/#v1.641

LTS changelog links to advisory:
https://jenkins-ci.org/changelog-stable/#v1.625.3

Security advisory with giant notice on compatibility:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09

Documentation:
https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

If you have suggestions how to make this more noticeable without doing giant banners everywhere, or repeating the same information in a dozen places, please let me know.

> Also, I looking for a better way to relax content security via UI rather than change configuration properties in the file.

I'm planning to make setting the system property a regular part of the Jenkins global security config UI. It is tracked here: https://issues.jenkins-ci.org/browse/JENKINS-32296

[Boris Serdiuk]

Well, I read release notes and reasoning behind it but I don't get why that breaking change wasn't made as opt-in. 

As I got it affects only build servers for open-source projects. But a lot of users with private Jenkins installation just got this update suddenly and had got broken workflow. I guess that usually maintainers of open-source projects are more advanced users and can enable extra protection for its server rather than other users had to do weird actions to make some Jenkins extensions back to work.

[Daniel Beck]

On 11.01.2016, at 10:00, Boris Serdiuk <djbo...@gmail.com> wrote:

> Well, I read release notes and reasoning behind it but I don't get why that breaking change wasn't made as opt-in.

Security in Jenkins is currently opt-in for mostly historical reasons. That's fine on your team's local network. And one would think people wouldn't run an unsecured Jenkins on a publicly accessible server. We've recently learned that one would be wrong, and I had the great joy of writing a security advisory(!) basically telling people to not be complete idiots[1]. Therefore I decided to err on the side of caution on this change (and FWIW the rest of the security team agreed).

As to the impact on plugins, we identified several plugins that would be affected and provided guides for the most popular ones. I'd be happy to keep updating the wiki page with definitive information on other plugins as well. And I'm planning to add an option to the security configuration UI to make this option more discoverable and easier to change.

1: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-10-01