Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32590

Inline CSS is ignored in published HTML reports

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Major Major
    • htmlpublisher-plugin
    • None
    • Jenkins 1.645, HTML published plugin 1.10

      I use diff-cover to produce an HTML report about missing test coverage for GitHub pull requests, and I use the HTML Publisher plugin to publish that reports.

      My problem: all inline CSS in the HTML report produced by diff-cover is ignored. Instead of seeing uncovered code lines highlighted in red I see this:

      The Chrome Developer Tools shows this error in the console:

      > Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-38w8qtDewK1eDzv93gUtrP2TU2U9nk/1k3yxhYDPDU0='), or a nonce ('nonce-...') is required to enable inline execution.

      (There's also an error about blocked script execution, but that seems unrelated.)

        1. Ekrano nuotrauka iš 2016-01-25 11-12-30.png
          Ekrano nuotrauka iš 2016-01-25 11-12-30.png
          66 kB

          [JENKINS-32590] Inline CSS is ignored in published HTML reports

          Baptiste Mathus added a comment - - edited

          Seems like a WONTFIX/NotADefect to me, related to https://jenkins-ci.org/blog/2015/12/09/security-updates-released-today/

          WDYT danielbeck?

          Baptiste Mathus added a comment - - edited Seems like a WONTFIX/NotADefect to me, related to https://jenkins-ci.org/blog/2015/12/09/security-updates-released-today/ WDYT danielbeck ?

          Marius Gedminas added a comment -

          This seems to be related: https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

          Marius Gedminas added a comment - This seems to be related: https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

          Daniel Beck added a comment -

          Not actually a defect, works as intended. JENKINS-32296 may help a bit here, but otherwise https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy stands.

          Daniel Beck added a comment - Not actually a defect, works as intended. JENKINS-32296 may help a bit here, but otherwise https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy stands.

          Marius Gedminas added a comment -

          What's the difference, security-wise, between user-generated HTML files in the workspace embedding inline CSS (which is forbidden) versus user-generated HTML files in the workspace linking to user-generated CSS files in the workspace (which is allowed)?

          Marius Gedminas added a comment - What's the difference, security-wise, between user-generated HTML files in the workspace embedding inline CSS (which is forbidden) versus user-generated HTML files in the workspace linking to user-generated CSS files in the workspace (which is allowed)?

          Daniel Beck added a comment -

          I was unable to find out a definitive answer about this when I defined the defaults. That our use case for this is different than the usual reflected XSS prevention didn't help… I considered it probably safe to allow it (like e.g. frames as well), but just didn't know for certain.

          Daniel Beck added a comment - I was unable to find out a definitive answer about this when I defined the defaults. That our use case for this is different than the usual reflected XSS prevention didn't help… I considered it probably safe to allow it (like e.g. frames as well), but just didn't know for certain.

            r2b2_nz Richard Bywater
            mgedmin Marius Gedminas
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: