Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-61925

Upcoming Chrome SameSite policy change will break HTML Publisher plugin


    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • htmlpublisher-plugin
    • None
    • Jenkins 2.228
      htmlpublisher v1.22

      Google Chrome is about to change behavior for cookies without a SameSite attribute, see https://web.dev/samesite-cookies-explained/ and https://www.chromium.org/updates/same-site. The rollout, originally planned for February/March, has now been postponed until the summer. Other browsers will eventually ship the same changes.

      We're using the HTML Publisher plugin to publish LCOV-generated code coverage reports. The new SameSite behavior described above, together with the default Content-Security-Policy header, seems to break this use case. Specifically, the cookies set by Jenkins don't include a SameSite attribute and therefore are no longer being sent by the browser when the HTML report page tries to load additional resources (CSS and images), because they are considered cross-site requests. And without the session cookie, these requests are rejected by Jenkins with an HTTP 403 error.

      Removing "sandbox" from the default hudson.model.DirectoryBrowserSupport.CSP setting works around the issue, but seems less than ideal.

            r2b2_nz Richard Bywater
            pesa Davide Pesavento
            8 Vote for this issue
            10 Start watching this issue