Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32026

HTML publisher 1.9 broken since Jenkins 1.625.3

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • htmlpublisher-plugin
    • None
    • Jenkins LTS version 1.625.3
      HTML publisher plugin 1.9

      After the upgrade from the Jenkins LTS version 1.625.2 to 1.625.3 the HTML report is not displayed. Instead a link "ZIP" and the text "index" is displayed in the upper left corner.
      I am not sure if this is really related to the HTML publisher plugin because its version has not been changed.

          [JENKINS-32026] HTML publisher 1.9 broken since Jenkins 1.625.3

          Jake Gage added a comment - - edited

          I'm seeing the same issue:

          and I believe it may be related to iframe permissions. I only see the error in a Jenkins instance answering HTTPS, with multiple console messages:

          Blocked script execution in 'https://my.jenkins.redacted/jenkins/view/Project/job/job_name/Test_Summaries/' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

          Jake Gage added a comment - - edited I'm seeing the same issue: and I believe it may be related to iframe permissions. I only see the error in a Jenkins instance answering HTTPS, with multiple console messages: Blocked script execution in 'https://my.jenkins.redacted/jenkins/view/Project/job/job_name/Test_Summaries/' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

          Jake Gage added a comment - - edited

          Another update— HTML publisher 1.9 itself under the latest Jenkins release works fine for me in HTTP-only environments.

          For clarity, what the original report is describing (seen in the first screen shot attachment), I believe is the browser trying to render the HTML publisher output in the second attachment:

          (Note the "Zip" link in the upper right, and the formatted names of the HTML documents in the tabs, following the "Return to Jenkins Job" link...)

          Jake Gage added a comment - - edited Another update— HTML publisher 1.9 itself under the latest Jenkins release works fine for me in HTTP-only environments. For clarity, what the original report is describing (seen in the first screen shot attachment), I believe is the browser trying to render the HTML publisher output in the second attachment: (Note the "Zip" link in the upper right, and the formatted names of the HTML documents in the tabs, following the "Return to Jenkins Job" link...)

          Daniel Beck added a comment -

          Nice analysis, but none of it was necessary because we know – see the advisory or more specifically the wiki page dedicated to Content Security Policy.

          FWIW I've proposed a PR that resolves the issue and generally meets approval by the author, PR 22, but hasn't yet been released. However, there's a PR build you could download and install. Note however the other limitations on the CSP wiki page.

          Daniel Beck added a comment - Nice analysis, but none of it was necessary because we know – see the advisory or more specifically the wiki page dedicated to Content Security Policy . FWIW I've proposed a PR that resolves the issue and generally meets approval by the author, PR 22 , but hasn't yet been released. However, there's a PR build you could download and install. Note however the other limitations on the CSP wiki page.

          Jake Gage added a comment -

          Wow— thank you, danielbeck !

          Jake Gage added a comment - Wow— thank you, danielbeck !

          mcrooney added a comment -

          Thanks, released as 1.10!

          mcrooney added a comment - Thanks, released as 1.10!

          Daniel Beck added a comment -

          So, to clarify, there are two parts to this:

          • The HTML Publisher surrounds the published pages with a frame linking to the configured index pages. This frame was broken in 1.625.3/1.641, and the plugin release 1.10 fixes this.
          • The published HTML pages may not display correctly when using things like XHR, JavaScript, inline CSS, etc. This is by design and was one of the security fixes in 1.625.3/1.641.

          To work around the second issue, you basically have the following options with this:

          • Live with the brokenness, if it's not too severe. (E.g. Javadoc plugin has a similar issue with Javascript not running even with PR 4 applied), but it's hardly noticeable in my testing.
          • Publish the HTML pages elsewhere and just link there from Jenkins.
          • Make the HTML pages work without this kind of dynamic content or adapt to work within the rules (e.g. external CSS files rather than inline).
          • Relax the rules controlling what static HTML files served by Jenkins are allowed to do: See documentation.

          You may be asking "Daniel, this security issue seems a bit far-fetched – most installations allow everyone to do everything, why so restrictive?" Good point. Unfortunately, while many, possibly most, Jenkins installations may not need this protection because it's not a threat to them, given how many users don't bother to apply basic common sense to their instance security, we opted to make Jenkins secure out of the box in this regard, rather than make it opt-in.

          Daniel Beck added a comment - So, to clarify, there are two parts to this: The HTML Publisher surrounds the published pages with a frame linking to the configured index pages. This frame was broken in 1.625.3/1.641, and the plugin release 1.10 fixes this. The published HTML pages may not display correctly when using things like XHR, JavaScript, inline CSS, etc. This is by design and was one of the security fixes in 1.625.3/1.641. To work around the second issue, you basically have the following options with this: Live with the brokenness, if it's not too severe. (E.g. Javadoc plugin has a similar issue with Javascript not running even with PR 4 applied), but it's hardly noticeable in my testing. Publish the HTML pages elsewhere and just link there from Jenkins. Make the HTML pages work without this kind of dynamic content or adapt to work within the rules (e.g. external CSS files rather than inline). Relax the rules controlling what static HTML files served by Jenkins are allowed to do: See documentation . You may be asking "Daniel, this security issue seems a bit far-fetched – most installations allow everyone to do everything, why so restrictive?" Good point. Unfortunately, while many, possibly most, Jenkins installations may not need this protection because it's not a threat to them, given how many users don't bother to apply basic common sense to their instance security , we opted to make Jenkins secure out of the box in this regard, rather than make it opt-in.

          Andru Cherny added a comment -

          My Jenkins ver. 1.651.2 and HTML Publisher plugin - 1.11
          Bug exsist.

          Andru Cherny added a comment - My Jenkins ver. 1.651.2 and HTML Publisher plugin - 1.11 Bug exsist.

          Daniel Beck added a comment -

          This issue has been resolved. HTML Publisher itself failed to show the iframe at all, which this issue is about.

          What's left is covered by https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

          Daniel Beck added a comment - This issue has been resolved. HTML Publisher itself failed to show the iframe at all , which this issue is about. What's left is covered by https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

            danielbeck Daniel Beck
            berndpohl Bernd Pohl
            Votes:
            6 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: