本文介绍了因为文档的框架是沙盒,并且'allow-scripts'权限未设置的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我编写了一个程序,用这个头文件生成一个html文件:



,但我根本没有 iframe ,更不用说在沙箱中了。



当我在浏览器中打开页面(在Jenkins服务器上托管)时,我看不到css。



这些错误(安全策略)



我在stockoverflow上看到过一些帖子,说< meta> 应该是这样的:

 < meta http-equiv =co ntent-typecontent =text / html; charset = utf-8;> 
< meta http-equiv =Content-Security-Policycontent =script-src'self'http://onlineerp.solution.quebec'unsafe-inline' '不安全-EVAL'; style-src'self'maxcdn.bootstrapcdn.com>

但是正如您在我看到的打印屏幕,没有帮助

任何想法,我该如何解决这个问题?

解决方案
你正在从Jenkins处理一个HTML页面,所以Jenkins控制响应头文件,而不是你的内容。最近。您应该能够在响应头中看到Jenkins插入的Content-Security-Policy头。



一个解决方案是放松Jenkins配置,请参阅了解详情:

您可以尝试以下方式进行实验:

(警告!)这可能是非常不安全的,只能在查看整体安全设置后才能使用。使用进行不同的设置。要从外部网站启用CSS和图片,您可以使用以下内容:

  System.setProperty(hudson.model.DirectoryBrowserSupport。 CSP,sandbox; default-src'self'; img-src'*'; style-src'*''unsafe-inline';)

另一种解决方案是将生成的页面发布(部署)到另一台可以控制内容安全策略的服务器上。

I wrote a program that generated an html file with this header:

but I don't have iframe at all, let alone in sandbox

When I open the page in the browser (hosted on a Jenkins server) I see no css.

These are the errors (security policy)

I have seen some posts on stockoverflow, saying the <meta> should be like:

<meta http-equiv="content-type" content="text/html; charset=utf-8 ;">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' http://onlineerp.solution.quebec 'unsafe-inline' 'unsafe-eval'; style-src 'self' maxcdn.bootstrapcdn.com"> 

but as you can see in my print screen that didn't help

any idea, how can I fix this?

解决方案

You're serving an HTML page from Jenkins, so Jenkins controls the response headers, not your content. Recent security fixes in Jenkins imposed a strict default Content Security Policy. You should be able to see the Content-Security-Policy header inserted by Jenkins in the response headers.

One solution is to relax the Jenkins configuration, see the Configuring Content Security Policy wiki page for details:

You can experiment with different settings using the Jenkins Script Console. To enable CSS and images from external sites, you could use something like:

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox; default-src 'self'; img-src '*'; style-src '*' 'unsafe-inline';")

Another solution is to publish (deploy) the generated page(s) on another server where you can control the content security policy.

这篇关于因为文档的框架是沙盒,并且'allow-scripts'权限未设置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

11-03 02:39