-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
Jenkins 2.228
htmlpublisher v1.22
Google Chrome is about to change behavior for cookies without a SameSite attribute, see https://web.dev/samesite-cookies-explained/ and https://www.chromium.org/updates/same-site. The rollout, originally planned for February/March, has now been postponed until the summer. Other browsers will eventually ship the same changes.
We're using the HTML Publisher plugin to publish LCOV-generated code coverage reports. The new SameSite behavior described above, together with the default Content-Security-Policy header, seems to break this use case. Specifically, the cookies set by Jenkins don't include a SameSite attribute and therefore are no longer being sent by the browser when the HTML report page tries to load additional resources (CSS and images), because they are considered cross-site requests. And without the session cookie, these requests are rejected by Jenkins with an HTTP 403 error.
Removing "sandbox" from the default hudson.model.DirectoryBrowserSupport.CSP setting works around the issue, but seems less than ideal.
[JENKINS-61925] Upcoming Chrome SameSite policy change will break HTML Publisher plugin
Attachment | New: screenshot-1.png [ 52123 ] |
Thanks for the report and apologies for the delay in responding. With all that's going on in the world it's taking a while to get to things![](/images/icons/emoticons/smile.png)
I'll take a look at this as soon to see the impact and what fixes are possible. In the meantime do you happen to know what month "summer" is in the context of the announcement? I assume it means US summer so if happen to be able to clarify when that is for non-US resident that'd be great![](/images/icons/emoticons/biggrin.png)