[JENKINS-32092] svg image provided by copy artefact plugin does not show correctly in firefox if jenkins runs via https

Type: Bug
Resolution: Not A Defect
Priority: Major
Component/s: copyartifact-plugin, core, image-gallery-plugin
Labels:
- https
- images
Environment:
org.jenkins-ci.main:jenkins-war:1.642
org.jenkins-ci.plugins:copyartifact:1.37
com.tupilabs.image_gallery:image-gallery:1.2

Similar Issues:
Powered by SuggestiMate

Show

Steps to reproduce:

In a job a svg image is created by python/matplotlib (see attachment).
The image is copied by the copy artefact plugin
The image appears all black if viewed with firefox (version 42 or 43)
jenkins is running on https

Changing the firefox preference security.csp.enable from true to false fixes the problem.

This seems to be related to this: https://greasyfork.org/de/forum/discussion/353/doesnt-work-because-of-content-security-policy
https://developer.mozilla.org/en-US/docs/Security/MixedContent/How_to_fix_website_with_mixed_content

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

sample1.1988.test.svg
18 kB
2015-12-16 00:19

Joachim Herb added a comment - 2015-12-16 08:50 - edited

Additional information:

The following error is shown in the browser console of firefox:
Content Security Policy: The page's settings blocked the loading of a resource: ("style-src https://xxx.xxx.xxx:8080")

The bug also happens, if the svg file is opened directly from the link created by the copy artifact plugin, so probably not caused by the image gallery plugin

Joachim Herb added a comment - 2015-12-16 08:50 - edited Additional information: The following error is shown in the browser console of firefox: Content Security Policy: The page's settings blocked the loading of a resource: ("style-src https://xxx.xxx.xxx:8080 ") The bug also happens, if the svg file is opened directly from the link created by the copy artifact plugin, so probably not caused by the image gallery plugin

Daniel Beck added a comment - 2015-12-16 16:49

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09
https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

Daniel Beck added a comment - 2015-12-16 16:49 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09 https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

Bruno P. Kinoshita added a comment - 2016-03-19 01:49

Thanks for taking care of that danielbeck. Closing the issue as this seems to have been fixed with CSP in newer versions of Jenkins.

Bruno P. Kinoshita added a comment - 2016-03-19 01:49 Thanks for taking care of that danielbeck . Closing the issue as this seems to have been fixed with CSP in newer versions of Jenkins.

Daniel Beck added a comment - 2016-03-19 13:08

kinow To clarify, the Dec 9 security fix introduced CSP for DirectoryBrowserSupport, thereby breaking uses like this, and the solution is to customize the CSP header to be less restrictive.

Daniel Beck added a comment - 2016-03-19 13:08 kinow To clarify, the Dec 9 security fix introduced CSP for DirectoryBrowserSupport, thereby breaking uses like this, and the solution is to customize the CSP header to be less restrictive.

Joachim Herb added a comment - 2016-04-14 11:30

The default value of hudson.model.DirectoryBrowserSupport.CSP is
sandbox; default-src 'none'; img-src 'self'; style-src 'self';
To solve the problem with the svg images, I had to change it to
sandbox; default-src 'none'; img-src 'self'; style-src 'self' 'unsafe-inline';
see https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

Joachim Herb added a comment - 2016-04-14 11:30 The default value of hudson.model.DirectoryBrowserSupport.CSP is sandbox; default-src 'none'; img-src 'self'; style-src 'self'; To solve the problem with the svg images, I had to change it to sandbox; default-src 'none'; img-src 'self'; style-src 'self' 'unsafe-inline'; see https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

Assignee:: Bruno P. Kinoshita

Reporter:: Joachim Herb

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2015-12-16 00:20

Updated:: 2016-04-14 11:30

Resolved:: 2015-12-16 16:49

Details

Description

Attachments

Attachments

Activity

Collapse comment: Joachim Herb added a comment - 2015-12-16 08:50, Edited by Joachim Herb - 2015-12-16 08:52

Expand comment: Joachim Herb added a comment - 2015-12-16 08:50, Edited by Joachim Herb - 2015-12-16 08:52

Collapse comment: Daniel Beck added a comment - 2015-12-16 16:49

Expand comment: Daniel Beck added a comment - 2015-12-16 16:49

Collapse comment: Bruno P. Kinoshita added a comment - 2016-03-19 01:49

Expand comment: Bruno P. Kinoshita added a comment - 2016-03-19 01:49

Collapse comment: Daniel Beck added a comment - 2016-03-19 13:08

Expand comment: Daniel Beck added a comment - 2016-03-19 13:08

Collapse comment: Joachim Herb added a comment - 2016-04-14 11:30

Expand comment: Joachim Herb added a comment - 2016-04-14 11:30

People

Dates