[JENKINS-33653] HTML Publisher artifact does not load js script

Type: Bug
Resolution: Not A Defect
Priority: Major
Component/s: htmlpublisher-plugin
Labels:
- CSP
- security
Environment:
Jenkins Version 1.651
HTML Publisher plugin: 1:11
OS: Windows 7 64 bits

Similar Issues:
Powered by SuggestiMate

Show

Current Jenkins CSP settings:
Result: sandbox; default-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';

However, when trying to access some TestNG/ReportNG generated reports, the console shows the error message below. Basically I cannot expand a Java StackTrace, because this requires a small javascript to run. Hard to say if this is a plugin issue or jenkins issue..

Refused to load the script 'http://

{my.domain}

:8080/job/Web%20check%20-%20PRODUCTION/115/HTMLReport/reportng.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'".

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

System Information [Jenkins].pdf
134 kB
2016-03-21 12:45

Vasile Pop created issue - 2016-03-18 15:14

mcrooney added a comment - 2016-03-19 19:03

Thanks for the report! danielbeck, any thoughts on this?

mcrooney added a comment - 2016-03-19 19:03 Thanks for the report! danielbeck , any thoughts on this?

Daniel Beck added a comment - 2016-03-20 18:11

My best guess is the CSP settings were adapted to make this work, and then the cache-bypassing browser reload was forgotten.

Daniel Beck added a comment - 2016-03-20 18:11 My best guess is the CSP settings were adapted to make this work, and then the cache-bypassing browser reload was forgotten.

Vasile Pop added a comment - 2016-03-20 18:54

I tried reloading the page several times using Shift + F5, this should clear the cache, right? It did not work.

Vasile Pop added a comment - 2016-03-20 18:54 I tried reloading the page several times using Shift + F5, this should clear the cache, right? It did not work.

Daniel Beck added a comment - 2016-03-20 20:09

What's the CSP header value returned from Jenkins? What's the output of System.getProperty("hudson.model.DirectoryBrowserSupport.CSP") in the script console?

Daniel Beck added a comment - 2016-03-20 20:09 What's the CSP header value returned from Jenkins? What's the output of System.getProperty("hudson.model.DirectoryBrowserSupport.CSP") in the script console?

Vasile Pop added a comment - 2016-03-21 08:48

Result: sandbox; default-src 'self'; script-src 'unsafe-inline'

When I logged the issue it was:

Result: sandbox; default-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';

Vasile Pop added a comment - 2016-03-21 08:48 Result: sandbox; default-src 'self'; script-src 'unsafe-inline' When I logged the issue it was: Result: sandbox; default-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';

Daniel Beck added a comment - 2016-03-21 11:51

These options need to be persisted in the startup scripts to survive a Jenkins restart. But set it again to the value you want and reload to make sure it works as expected.

Daniel Beck added a comment - 2016-03-21 11:51 These options need to be persisted in the startup scripts to survive a Jenkins restart. But set it again to the value you want and reload to make sure it works as expected.

Vasile Pop added a comment - 2016-03-21 12:10

That's exactly what I did. Jenkins starts as a service configured as described. And it worked until a week ago, unfortunately I don't know what event made this not working anymore. Even if I configure this option for the current instance, it's not working.

Vasile Pop added a comment - 2016-03-21 12:10 That's exactly what I did. Jenkins starts as a service configured as described. And it worked until a week ago, unfortunately I don't know what event made this not working anymore. Even if I configure this option for the current instance, it's not working.

Daniel Beck added a comment - 2016-03-21 12:33

To clarify, you set System.setProperty(…) in the script console, and the subsequent System.getProperty(…) returns the old value you replaced?

Please provide the full output on the /systemInfo URL.

Daniel Beck added a comment - 2016-03-21 12:33 To clarify, you set System.setProperty(…) in the script console, and the subsequent System.getProperty(…) returns the old value you replaced? Please provide the full output on the /systemInfo URL.

Vasile Pop made changes - 2016-03-21 12:45

Attachment

New: System Information [Jenkins].pdf [ 32221 ]

Assignee:: Richard Bywater

Reporter:: Vasile Pop

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2016-03-18 15:14

Updated:: 2017-07-20 11:23

Resolved:: 2016-03-22 10:22

Jenkins

Details

Description

Attachments

Attachments

Activity

Collapse comment: mcrooney added a comment - 2016-03-19 19:03

Expand comment: mcrooney added a comment - 2016-03-19 19:03

Collapse comment: Daniel Beck added a comment - 2016-03-20 18:11

Expand comment: Daniel Beck added a comment - 2016-03-20 18:11

Collapse comment: Vasile Pop added a comment - 2016-03-20 18:54

Expand comment: Vasile Pop added a comment - 2016-03-20 18:54

Collapse comment: Daniel Beck added a comment - 2016-03-20 20:09

Expand comment: Daniel Beck added a comment - 2016-03-20 20:09

Collapse comment: Vasile Pop added a comment - 2016-03-21 08:48

Expand comment: Vasile Pop added a comment - 2016-03-21 08:48

Collapse comment: Daniel Beck added a comment - 2016-03-21 11:51

Expand comment: Daniel Beck added a comment - 2016-03-21 11:51

Collapse comment: Vasile Pop added a comment - 2016-03-21 12:10

Expand comment: Vasile Pop added a comment - 2016-03-21 12:10

Collapse comment: Daniel Beck added a comment - 2016-03-21 12:33

Expand comment: Daniel Beck added a comment - 2016-03-21 12:33

People

Dates