一个解决方案是放松Jenkins配置，请参阅了解详情：

您可以尝试以下方式进行实验：

（警告！）这可能是非常不安全的，只能在查看整体安全设置后才能使用。使用进行不同的设置。要从外部网站启用CSS和图片，您可以使用以下内容：

  System.setProperty（hudson.model.DirectoryBrowserSupport。 CSP，sandbox; default-src'self'; img-src'*'; style-src'*''unsafe-inline';）
  

另一种解决方案是将生成的页面发布（部署）到另一台可以控制内容安全策略的服务器上。

I wrote a program that generated an html file with this header:

but I don't have iframe at all, let alone in sandbox

When I open the page in the browser (hosted on a Jenkins server) I see no css.

These are the errors (security policy)

I have seen some posts on stockoverflow, saying the <meta> should be like:

<meta http-equiv="content-type" content="text/html; charset=utf-8 ;">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' http://onlineerp.solution.quebec 'unsafe-inline' 'unsafe-eval'; style-src 'self' maxcdn.bootstrapcdn.com"> 

but as you can see in my print screen that didn't help

any idea, how can I fix this?

You're serving an HTML page from Jenkins, so Jenkins controls the response headers, not your content. Recent security fixes in Jenkins imposed a strict default Content Security Policy. You should be able to see the Content-Security-Policy header inserted by Jenkins in the response headers.

One solution is to relax the Jenkins configuration, see the Configuring Content Security Policy wiki page for details:

You can experiment with different settings using the Jenkins Script Console. To enable CSS and images from external sites, you could use something like:

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox; default-src 'self'; img-src '*'; style-src '*' 'unsafe-inline';")

Another solution is to publish (deploy) the generated page(s) on another server where you can control the content security policy.

这篇关于因为文档的框架是沙盒，并且'allow-scripts'权限未设置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！