Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32026

HTML publisher 1.9 broken since Jenkins 1.625.3

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Minor
    • Resolution: Fixed
    • htmlpublisher-plugin
    • None
    • Jenkins LTS version 1.625.3
      HTML publisher plugin 1.9

    Description

      After the upgrade from the Jenkins LTS version 1.625.2 to 1.625.3 the HTML report is not displayed. Instead a link "ZIP" and the text "index" is displayed in the upper left corner.
      I am not sure if this is really related to the HTML publisher plugin because its version has not been changed.

      Attachments

        Issue Links

          Activity

            dispader Jake Gage added a comment - - edited

            I'm seeing the same issue:

            and I believe it may be related to iframe permissions. I only see the error in a Jenkins instance answering HTTPS, with multiple console messages:

            Blocked script execution in 'https://my.jenkins.redacted/jenkins/view/Project/job/job_name/Test_Summaries/' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

            dispader Jake Gage added a comment - - edited I'm seeing the same issue: and I believe it may be related to iframe permissions. I only see the error in a Jenkins instance answering HTTPS, with multiple console messages: Blocked script execution in 'https://my.jenkins.redacted/jenkins/view/Project/job/job_name/Test_Summaries/' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
            dispader Jake Gage added a comment - - edited

            Another update— HTML publisher 1.9 itself under the latest Jenkins release works fine for me in HTTP-only environments.

            For clarity, what the original report is describing (seen in the first screen shot attachment), I believe is the browser trying to render the HTML publisher output in the second attachment:

            (Note the "Zip" link in the upper right, and the formatted names of the HTML documents in the tabs, following the "Return to Jenkins Job" link...)

            dispader Jake Gage added a comment - - edited Another update— HTML publisher 1.9 itself under the latest Jenkins release works fine for me in HTTP-only environments. For clarity, what the original report is describing (seen in the first screen shot attachment), I believe is the browser trying to render the HTML publisher output in the second attachment: (Note the "Zip" link in the upper right, and the formatted names of the HTML documents in the tabs, following the "Return to Jenkins Job" link...)
            danielbeck Daniel Beck added a comment -

            Nice analysis, but none of it was necessary because we know – see the advisory or more specifically the wiki page dedicated to Content Security Policy.

            FWIW I've proposed a PR that resolves the issue and generally meets approval by the author, PR 22, but hasn't yet been released. However, there's a PR build you could download and install. Note however the other limitations on the CSP wiki page.

            danielbeck Daniel Beck added a comment - Nice analysis, but none of it was necessary because we know – see the advisory or more specifically the wiki page dedicated to Content Security Policy . FWIW I've proposed a PR that resolves the issue and generally meets approval by the author, PR 22 , but hasn't yet been released. However, there's a PR build you could download and install. Note however the other limitations on the CSP wiki page.
            dispader Jake Gage added a comment -

            Wow— thank you, danielbeck !

            dispader Jake Gage added a comment - Wow— thank you, danielbeck !
            mcrooney mcrooney added a comment -

            Thanks, released as 1.10!

            mcrooney mcrooney added a comment - Thanks, released as 1.10!
            danielbeck Daniel Beck added a comment -

            So, to clarify, there are two parts to this:

            • The HTML Publisher surrounds the published pages with a frame linking to the configured index pages. This frame was broken in 1.625.3/1.641, and the plugin release 1.10 fixes this.
            • The published HTML pages may not display correctly when using things like XHR, JavaScript, inline CSS, etc. This is by design and was one of the security fixes in 1.625.3/1.641.

            To work around the second issue, you basically have the following options with this:

            • Live with the brokenness, if it's not too severe. (E.g. Javadoc plugin has a similar issue with Javascript not running even with PR 4 applied), but it's hardly noticeable in my testing.
            • Publish the HTML pages elsewhere and just link there from Jenkins.
            • Make the HTML pages work without this kind of dynamic content or adapt to work within the rules (e.g. external CSS files rather than inline).
            • Relax the rules controlling what static HTML files served by Jenkins are allowed to do: See documentation.

            You may be asking "Daniel, this security issue seems a bit far-fetched – most installations allow everyone to do everything, why so restrictive?" Good point. Unfortunately, while many, possibly most, Jenkins installations may not need this protection because it's not a threat to them, given how many users don't bother to apply basic common sense to their instance security, we opted to make Jenkins secure out of the box in this regard, rather than make it opt-in.

            danielbeck Daniel Beck added a comment - So, to clarify, there are two parts to this: The HTML Publisher surrounds the published pages with a frame linking to the configured index pages. This frame was broken in 1.625.3/1.641, and the plugin release 1.10 fixes this. The published HTML pages may not display correctly when using things like XHR, JavaScript, inline CSS, etc. This is by design and was one of the security fixes in 1.625.3/1.641. To work around the second issue, you basically have the following options with this: Live with the brokenness, if it's not too severe. (E.g. Javadoc plugin has a similar issue with Javascript not running even with PR 4 applied), but it's hardly noticeable in my testing. Publish the HTML pages elsewhere and just link there from Jenkins. Make the HTML pages work without this kind of dynamic content or adapt to work within the rules (e.g. external CSS files rather than inline). Relax the rules controlling what static HTML files served by Jenkins are allowed to do: See documentation . You may be asking "Daniel, this security issue seems a bit far-fetched – most installations allow everyone to do everything, why so restrictive?" Good point. Unfortunately, while many, possibly most, Jenkins installations may not need this protection because it's not a threat to them, given how many users don't bother to apply basic common sense to their instance security , we opted to make Jenkins secure out of the box in this regard, rather than make it opt-in.
            wir_wolf Andru Cherny added a comment -

            My Jenkins ver. 1.651.2 and HTML Publisher plugin - 1.11
            Bug exsist.

            wir_wolf Andru Cherny added a comment - My Jenkins ver. 1.651.2 and HTML Publisher plugin - 1.11 Bug exsist.
            danielbeck Daniel Beck added a comment -

            This issue has been resolved. HTML Publisher itself failed to show the iframe at all, which this issue is about.

            What's left is covered by https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

            danielbeck Daniel Beck added a comment - This issue has been resolved. HTML Publisher itself failed to show the iframe at all , which this issue is about. What's left is covered by https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

            People

              danielbeck Daniel Beck
              berndpohl Bernd Pohl
              Votes:
              6 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: