问题描述
我编写了一个程序,用这个头文件生成一个html文件:
,但我根本没有 iframe ,更不用说在沙箱中了。
当我在浏览器中打开页面(在Jenkins服务器上托管)时,我看不到css。
这些错误(安全策略)
我在stockoverflow上看到过一些帖子,说< meta> 应该是这样的:
< meta http-equiv =co ntent-typecontent =text / html; charset = utf-8;>
< meta http-equiv =Content-Security-Policycontent =script-src'self'http://onlineerp.solution.quebec'unsafe-inline' '不安全-EVAL'; style-src'self'maxcdn.bootstrapcdn.com>
但是正如您在我看到的打印屏幕,没有帮助
任何想法,我该如何解决这个问题?
一个解决方案是放松Jenkins配置,请参阅了解详情:
您可以尝试以下方式进行实验:
(警告!)这可能是非常不安全的,只能在查看整体安全设置后才能使用。使用进行不同的设置。要从外部网站启用CSS和图片,您可以使用以下内容:
System.setProperty(hudson.model.DirectoryBrowserSupport。 CSP,sandbox; default-src'self'; img-src'*'; style-src'*''unsafe-inline';)
另一种解决方案是将生成的页面发布(部署)到另一台可以控制内容安全策略的服务器上。
I wrote a program that generated an html file with this header:
but I don't have iframe at all, let alone in sandbox
When I open the page in the browser (hosted on a Jenkins server) I see no css.
These are the errors (security policy)
I have seen some posts on stockoverflow, saying the <meta> should be like:
<meta http-equiv="content-type" content="text/html; charset=utf-8 ;"> <meta http-equiv="Content-Security-Policy" content="script-src 'self' http://onlineerp.solution.quebec 'unsafe-inline' 'unsafe-eval'; style-src 'self' maxcdn.bootstrapcdn.com">
but as you can see in my print screen that didn't help
any idea, how can I fix this?
You're serving an HTML page from Jenkins, so Jenkins controls the response headers, not your content. Recent security fixes in Jenkins imposed a strict default Content Security Policy. You should be able to see the Content-Security-Policy header inserted by Jenkins in the response headers.
One solution is to relax the Jenkins configuration, see the Configuring Content Security Policy wiki page for details:
You can experiment with different settings using the Jenkins Script Console. To enable CSS and images from external sites, you could use something like:
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox; default-src 'self'; img-src '*'; style-src '*' 'unsafe-inline';")
Another solution is to publish (deploy) the generated page(s) on another server where you can control the content security policy.
这篇关于因为文档的框架是沙盒,并且'allow-scripts'权限未设置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!