-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
Use of iFrames is discouraged (not only but also) due security reasons and therefore are blocked by many server configurations (including our server config of course).
The following error messsage appears in the browser console:
Load denied by X-Frame-Options: https://somedomain.com/jenkins/job/some_job/scoverage/packages.html does not permit framing.
If you're intrested to put the change in, I'll try to find time to do it.
thx in advance.
[JENKINS-24806] Scoverage: iFrames blocked by many server setups
I'm also affected by this bug, and am interested in knowing the workaround.
David Pérez
added a comment - - edited I'm also affected by this bug, and am interested in knowing the workaround. 
Dan Ebert
added a comment - I'm seeing something similar. Here's what's showing up in the console (with host and job name removed):
Refused to load the stylesheet 'https://cdnjs.cloudflare.com/ajax/libs/pure/0.3.0/pure-min.css' because it violates the following Content Security Policy directive: "style-src 'self'".
Refused to frame 'http://<host>:8080/job/<jobname>/lastSuccessfulBuild/scoverage-report/packages.html' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to frame 'http://<host>:8080/job/<jobname>/lastSuccessfulBuild/scoverage-report/overview.html' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the stylesheet 'https://cdnjs.cloudflare.com/ajax/libs/pure/0.3.0/pure-min.css' because it violates the following Content Security Policy directive: "style-src 'self'".
Dan Ebert
added a comment - I'm seeing something similar. Here's what's showing up in the console (with host and job name removed):
Refused to load the stylesheet 'https://cdnjs.cloudflare.com/ajax/libs/pure/0.3.0/pure-min.css' because it violates the following Content Security Policy directive: "style-src 'self'".
Refused to frame 'http://<host>:8080/job/<jobname>/lastSuccessfulBuild/scoverage-report/packages.html' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to frame 'http://<host>:8080/job/<jobname>/lastSuccessfulBuild/scoverage-report/overview.html' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the stylesheet 'https://cdnjs.cloudflare.com/ajax/libs/pure/0.3.0/pure-min.css' because it violates the following Content Security Policy directive: "style-src 'self'". Dan Ebert
added a comment - You can work around the issue in my previous comment by adding this "-Dhudson.model.DirectoryBrowserSupport.CSP=" to the JAVA_ARGS in your /etc/default/jenkins file and restarting via the command line (restarting via the UI doesn't reload the args)
Dan Ebert
added a comment - You can work around the issue in my previous comment by adding this "-Dhudson.model.DirectoryBrowserSupport.CSP=" to the JAVA_ARGS in your /etc/default/jenkins file and restarting via the command line (restarting via the UI doesn't reload the args) It doesn't work for me, I've changed the /etc/init.d/jenkins service.
Using CentOS 7.
David Pérez
added a comment - Sorry, I was confused, probably by some browser cache. It works ok.
Thanks Dan for the -Dhudson.model.DirectoryBrowserSupport.CSP= trick!. 
David Pérez
added a comment - Sorry, I was confused, probably by some browser cache. It works ok.
Thanks Dan for the -Dhudson.model.DirectoryBrowserSupport.CSP= trick!. 
Same here, had to work around it by modifying the headers.