Re: Content-Security-Policy in Jenkins

2016-01-12 Thread Daniel Beck 

On 11.01.2016, at 10:00, Boris Serdiuk  wrote:

> Well, I read release notes and reasoning behind it but I don't get why that 
> breaking change wasn't made as opt-in. 

Security in Jenkins is currently opt-in for mostly historical reasons. That's 
fine on your team's local network. And one would think people wouldn't run an 
unsecured Jenkins on a publicly accessible server. We've recently learned that 
one would be wrong, and I had the great joy of writing a security advisory(!) 
basically telling people to not be complete idiots[1]. Therefore I decided to 
err on the side of caution on this change (and FWIW the rest of the security 
team agreed).

As to the impact on plugins, we identified several plugins that would be 
affected and provided guides for the most popular ones. I'd be happy to keep 
updating the wiki page with definitive information on other plugins as well. 
And I'm planning to add an option to the security configuration UI to make this 
option more discoverable and easier to change.

1: 
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-10-01

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/E87B14E5-D05D-4A2C-A374-9E075CE69D1D%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.

Re: Content-Security-Policy in Jenkins

2016-01-11 Thread Boris Serdiuk 
Well, I read release notes and reasoning behind it but I don't get why that 
breaking change wasn't made as opt-in. 

As I got it affects only build servers for open-source projects. But a lot 
of users with private Jenkins installation just got this update suddenly 
and had got broken workflow. I guess that usually maintainers of 
open-source projects are more advanced users and can enable extra 
protection for its server rather than other users had to do weird actions 
to make some Jenkins extensions back to work.

reede, 8. jaanuar 2016 17:24.04 UTC+3 kirjutas Daniel Beck:
>
> On 08.01.2016, at 11:49, Boris Serdiuk  wrote: 
>
> > Do you have any announcement or migration guide where I can redirect my 
> users? 
>
> Choose any of these, the full documentation is at most two clicks away: 
>
> Security advisory announcement: 
>
> https://groups.google.com/d/msg/jenkinsci-advisories/Zy8yMkQfld4/a8lkB_DUDQAJ 
>
> Announcement blog post: 
> https://jenkins-ci.org/blog/2015/12/09/security-updates-released-today/ 
>
> Regular changelog links to advisory: 
> https://jenkins-ci.org/changelog/#v1.641 
>
> LTS changelog links to advisory: 
> https://jenkins-ci.org/changelog-stable/#v1.625.3 
>
> Security advisory with giant notice on compatibility: 
>
> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09
>  
>
> Documentation: 
>
> https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy
>  
>
> If you have suggestions how to make this more noticeable without doing 
> giant banners everywhere, or repeating the same information in a dozen 
> places, please let me know. 
>
> > Also, I looking for a better way to relax content security via UI rather 
> than change configuration properties in the file. 
>
> I'm planning to make setting the system property a regular part of the 
> Jenkins global security config UI. It is tracked here: 
> https://issues.jenkins-ci.org/browse/JENKINS-32296 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/4c358304-8db8-45ee-8046-3a8e506d6697%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Content-Security-Policy in Jenkins

2016-01-08 Thread Daniel Beck 
On 08.01.2016, at 11:49, Boris Serdiuk  wrote:

> Do you have any announcement or migration guide where I can redirect my users?

Choose any of these, the full documentation is at most two clicks away:

Security advisory announcement:
https://groups.google.com/d/msg/jenkinsci-advisories/Zy8yMkQfld4/a8lkB_DUDQAJ

Announcement blog post:
https://jenkins-ci.org/blog/2015/12/09/security-updates-released-today/

Regular changelog links to advisory:
https://jenkins-ci.org/changelog/#v1.641

LTS changelog links to advisory:
https://jenkins-ci.org/changelog-stable/#v1.625.3

Security advisory with giant notice on compatibility:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09

Documentation:
https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

If you have suggestions how to make this more noticeable without doing giant 
banners everywhere, or repeating the same information in a dozen places, please 
let me know.

> Also, I looking for a better way to relax content security via UI rather than 
> change configuration properties in the file. 

I'm planning to make setting the system property a regular part of the Jenkins 
global security config UI. It is tracked here: 
https://issues.jenkins-ci.org/browse/JENKINS-32296

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/F6BAC5E2-98C3-48A4-96EB-522B05F26D2D%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.

Content-Security-Policy in Jenkins

2016-01-08 Thread Boris Serdiuk 
Hello! 

Since Jenkins 1.625.3 you added Content-Security-Policy header for some 
content from plugins. I understand the reason to do it, but it breaks a lot 
of use-cases. 
I am developer of Allure Framework 
, it is the thing to 
better test reports. We have Allure Jenkins Plugin 
, so some of our users are also 
Jenkins users. And since that security fix we have got a lot of bug reports 
about it:
https://github.com/allure-framework/allure-core/issues/715
https://github.com/allure-framework/allure-core/issues/717
https://github.com/allure-framework/allure-core/issues/729
Also, there are more questions about it in our Gitter chat. 
 People just not understand 
what is going on. We can't get rid of use Javascript in our framework, so I 
have to explain again and again what users should do.

Do you have any announcement or migration guide where I can redirect my 
users? Also, I looking for a better way to relax content security via UI 
rather than change configuration properties in the file. 

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/03831216-7e55-46cd-9562-89d6a0980e9a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.