Jenkins error - Blocked script execution in . because the document's frame is sandboxed and the 'allow-scripts' permission is not set

Question

I\'m aware that if we use a iFrame in HTML we\'ve to sandbox it & add the \'allow-scripts\' permission to be true.

But my problem is I don\'t have a iFrame at all

Answer 1

The above answers did not work for me in Ubuntu 16.04 with Jenkins 2.46.2. I had to change JAVA_ARGS in /etc/default/jenkins as

JAVA_ARGS="-Djava.awt.headless=true  -Dmail.smtp.starttls.enable=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-scripts; style-src 'unsafe-inline' *;script-src 'unsafe-inline' *;\""

More info here

Answer 2

You need to follow below steps for solution :

1. Open the Jenkin home page.
2. Go to Manage Jenkins.
3. Now go to Script Console.
4. And in that console paste below statement and click on Run. System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "")
5. After that it will load css and js.

Note : After following the above steps if still it is not loading css and js then clear the browser cache and cookie and refresh the page.

Answer 3

I had the same issue with HTML Publisher Plugin.

According to Jenkins new Content Security Policy, you can bypass it by setting:

hudson.model.DirectoryBrowserSupport.CSP=script-src 'unsafe-inline';

UPDATE: For some reason on Jenkins 2.x, I had to update arguments again, with an empty CSP value, instead of script-src 'unsafe-inline, in order to fully display external HTML pages:

-Dhudson.model.DirectoryBrowserSupport.CSP=

On Windows there's a jenkins.xml in Jenkins home directory, where you can set global JVM options, such as Jenkins system properties. Simply add it under arguments tag:

<arguments> -Xrs -Xmx256m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle "-Dhudson.model.DirectoryBrowserSupport.CSP= " -jar "%BASE%\jenkins.war" --httpPort=8080 </arguments>

For most of the Linux distributions, you can modify JENKINS_ARGS inside file:

/etc/default/jenkins (or jenkins-oc)

For CentOS, modify JENKINS_JAVA_OPTIONS inside file:

/etc/sysconfig/jenkins (or jenkins-oc)

See more examples in the Content Security Policy Reference: http://content-security-policy.com/

Answer 4

We were using this content HTML in a Jenkins userContent directory. We recently upgraded to the latest Jenkins 1.625 LTS version & it seems they've introduced new Content security policy which adds the below header to the response headers & the browsers simply decline to execute anything like stylesheets / Javascripts.

X-Content-Security-Policy: sandbox; default-src 'none'; img-src 'self'; style-src 'self';

To get over it, we had to simply remove this header by resetting the below property in Jenkins.

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "")

Those who upgrade to Jenkins 1.625 & use the userContent folder might be affected by this change.

For more information refer https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

Answer 5

For Jenkins hosted on Ubuntu:

1. put to /etc/default/jenkins

   JAVA_ARGS="${JAVA_ARGS} -Dhudson.model.DirectoryBrowserSupport.CSP=\"\" "
   

2. visit http://<your jenkins hostname>/safeRestart

(about this and other options: https://wiki.jenkins.io/display/JENKINS/Features+controlled+by+system+properties)

UPD: this time when I did this the visiting /safeRestart was not enough. I had to do sudo service jenkins restart.

Answer 6

On Amazon Linux at the bottom of /etc/sysconfig/jenkins change:

#JENKINS_ARGS="-Dhudson.model.DirectoryBrowserSupport.CSP=sandbox"

JENKINS_ARGS="-Dhudson.model.DirectoryBrowserSupport.CSP=\"\""