Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-41891

Serve static files from second domain as an alternative to setting CSP

    Details

    • Similar Issues:
    • Released As:
      jenkins-2.200

      Description

      Dealing with Content-Security-Policy is just too annoying, and there's too many plugins trying to just serve static files in Jenkins, often for no real reason.

      We need second domain support for static resources (DirectoryBrowserSupport) such that accessing that is possible without authentication, just with a token, and that token is used for linked resources as well.

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            OK so the current implementation:

            • Has its own CryptoConfidentialKey with random IV for every URL.
            • Encodes authentication, DBS URL, and creation date in the (now super long) string in the URL (all encrypted)

            On access, it's decrypted, and if the age is below a certain threshold, it's handled, otherwise the user is redirected to the real URL. This creates a short loop through (re)authentication (old resource URL -> regular Jenkins URL (might require auth) -> new resource URL) which seems to work mostly OK – once frames are involved, the Jenkins login screen doesn't like to show in a frame (thanks X-Frame-Options), and it's just an empty page if you're not currently logged in. If you have a session, it's just transparent.

            Still seems superior to just go with 404s all the time, and a full reload will fix it (as the top level page will go through the auth loop without frame ).

            Show
            danielbeck Daniel Beck added a comment - OK so the current implementation: Has its own CryptoConfidentialKey with random IV for every URL. Encodes authentication,  DBS URL, and creation date in the (now super long) string in the URL (all encrypted) On access, it's decrypted, and if the age is below a certain threshold, it's handled, otherwise the user is redirected to the real URL. This creates a short loop through (re)authentication (old resource URL -> regular Jenkins URL (might require auth) -> new resource URL) which seems to work mostly OK – once frames are involved, the Jenkins login screen doesn't like to show in a frame (thanks X-Frame-Options ), and it's just an empty page if you're not currently logged in. If you have a session, it's just transparent. Still seems superior to just go with 404s all the time, and a full reload will fix it (as the top level page will go through the auth loop without frame ).
            Hide
            danielbeck Daniel Beck added a comment -

            On second thought, there's no need to encrypt anything here – we don't need to keep the content secret. We just need to confirm it hasn't been tampered with, i.e. users don't get to define their own resource URLs. So what we need is a signature.

            Show
            danielbeck Daniel Beck added a comment - On second thought, there's no need to encrypt anything here – we don't need to keep the content secret. We just need to confirm it hasn't been tampered with, i.e. users don't get to define their own resource URLs. So what we need is a signature.
            Hide
            jvz Matt Sicker added a comment -

            An HMAC essentially, yes. That sounds fine. These are like super limited use JWTs.

            Show
            jvz Matt Sicker added a comment - An HMAC essentially, yes. That sounds fine. These are like super limited use JWTs.
            Show
            danielbeck Daniel Beck added a comment - Plugins affected: https://wiki.jenkins.io/display/JENKINS/Acunetix+Plugin https://wiki.jenkins.io/display/JENKINS/BTC+EmbeddedPlatform https://wiki.jenkins.io/display/JENKINS/HTML+Publisher+Plugin https://wiki.jenkins.io/display/JENKINS/Javadoc+Plugin https://wiki.jenkins.io/display/JENKINS/LoadRunner+Integration https://wiki.jenkins.io/display/JENKINS/Micro+Focus+Application+Automation+Tools https://wiki.jenkins.io/display/JENKINS/NeoLoad+Plugin https://wiki.jenkins.io/display/JENKINS/PRQA+Plugin https://wiki.jenkins.io/display/JENKINS/Redmine+Metrics+Report+Plugin https://wiki.jenkins.io/display/JENKINS/VectorCAST+Execution+Plugin https://wiki.jenkins.io/display/JENKINS/Worksoft+Certify+DashBoard+Plugin https://wiki.jenkins.io/display/JENKINS/Worksoft+Certify+Process+Runner https://wiki.jenkins.io/display/JENKINS/Worksoft+Certify+Process+Suite https://wiki.jenkins.io/display/JENKINS/Worksoft+Certify+RiskBased+PlugIn More in comments on https://wiki.jenkins.io/display/JENKINS/Configuring+Content+Security+Policy
            Hide
            jvz Matt Sicker added a comment -

            Not sure how relevant it would be, but the Audit Log plugin makes HTML audit logs available via DirectoryBrowserSupport. If I wanted to use more advanced UI pages for that, it would likely need its own CSP.

            Show
            jvz Matt Sicker added a comment - Not sure how relevant it would be, but the Audit Log plugin makes HTML audit logs available via DirectoryBrowserSupport. If I wanted to use more advanced UI pages for that, it would likely need its own CSP.

              People

              • Assignee:
                danielbeck Daniel Beck
                Reporter:
                danielbeck Daniel Beck
              • Votes:
                2 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: