-
Bug
-
Resolution: Not A Defect
-
Major
-
Jenkins Version 1.651
HTML Publisher plugin: 1:11
OS: Windows 7 64 bits
Current Jenkins CSP settings:
Result: sandbox; default-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';
However, when trying to access some TestNG/ReportNG generated reports, the console shows the error message below. Basically I cannot expand a Java StackTrace, because this requires a small javascript to run. Hard to say if this is a plugin issue or jenkins issue..
Refused to load the script 'http://
{my.domain}:8080/job/Web%20check%20-%20PRODUCTION/115/HTMLReport/reportng.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'".
[JENKINS-33653] HTML Publisher artifact does not load js script
That's exactly what I did. Jenkins starts as a service configured as described. And it worked until a week ago, unfortunately I don't know what event made this not working anymore. Even if I configure this option for the current instance, it's not working.
To clarify, you set System.setProperty(…) in the script console, and the subsequent System.getProperty(…) returns the old value you replaced?
Please provide the full output on the /systemInfo URL.
Yes sir, for the first question.
Second requests, please see the attached PDF file.
System properties are not immutable, and the output clearly shows the shortened one. Something is very weird here. As I have no insight in what you're doing, please run a sequence of script console commands, and paste then and their output here. Run only one line at a time, and record it's output.
println System.getProperty("hudson.model.DirectoryBrowserSupport.CSP")
System.clearProperty("hudson.model.DirectoryBrowserSupport.CSP")
println System.getProperty("hudson.model.DirectoryBrowserSupport.CSP")
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "")
println System.getProperty("hudson.model.DirectoryBrowserSupport.CSP")
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox; default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';")
println System.getProperty("hudson.model.DirectoryBrowserSupport.CSP")
Since you're using HTML Publisher, the original problem may be a case of the reload only targeting the wrapper file, and then loading your own content HTML from cache. So make sure to open your HTML file fully before reloading.
The results are
_Result: sandbox; default-src 'self'; script-src 'unsafe-inline'
Result: sandbox; default-src 'self'; script-src 'unsafe-inline'
Result: null
Result:
Result:
Result:
Result: sandbox; default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';_
Now the HTML report is a bit worse in CHROME, due to the error displayed below in JS console:
suites.html:1 Blocked script execution in 'http://bftsieg002.ger.corp.intel.com:8080/job/Web%20tests%20-%20Full%20suite%20-%20Staging/142/HTML_Report/suites.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
The very weird thing is that it seems to work great in Firefox...
Firefox does not support the sandbox directive. Remove it to make it work in Chrome.
For some reason,
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';")
works fine now on Chrome as well, I do not see any JS console errors anymore. We can close the issue, most likely my configuration was not correct.
Thanks for the help!
Well, you removed the "sandbox" part 
because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
These options need to be persisted in the startup scripts to survive a Jenkins restart. But set it again to the value you want and reload to make sure it works as expected.