-
Task
-
Resolution: Fixed
-
Critical
-
Jenkins 1.625.3 LTS/Jenkins 1.641 and later.
Per the Jenkins Wiki, Jenkins now sets a restrictive content security policy header that breaks the Gatling reports as no JavaScript is allowed to run on the pages. In our brief experimentation, we found it necessary to completely remove the header (Set -Dhudson.model.DirectoryBrowserSupport.CSP= ) in order to restore functionality.
At a minimum setting this needs to be documented for this plugin. Ideally if you can determine a less promiscuous CSP setting that could be set so that we don't have to totally disable CSP, that would be great.
[JENKINS-32038] Document needed Content-Security-Policy Settings for Gatling Reports
Tristan Hill
added a comment - "sandbox allow-scripts; default-src 'self' 'unsafe-inline';" seems to work and is a bit less promiscuous
Tristan Hill
added a comment - "sandbox allow-scripts; default-src 'self' 'unsafe-inline';" seems to work and is a bit less promiscuous 
Cédric Cousseran
added a comment - Closed by https://github.com/jenkinsci/gatling-plugin/commit/f7a28f59adbff3249164c18b81fd7da3918b0a86
Cédric Cousseran
added a comment - Closed by https://github.com/jenkinsci/gatling-plugin/commit/f7a28f59adbff3249164c18b81fd7da3918b0a86
Sorry about that, we only have very limited manpower on the Jenkins security team and were able to only cover the most popular plugins.
Would be interesting to know whether this is a limitation inherent in the plugin (e.g. Javadoc plugin), or just a property of the current plugin design/behavior that could be changed (similar to HTML Publisher).
Note that the Gatling developers don't seem to be monitoring this issue tracker according to https://github.com/jenkinsci/gatling-plugin/blob/master/README.md.