-
Improvement
-
Resolution: Fixed
-
Major
-
Jenkins 2.346.1
HTML Publisher 1.31
-
-
2.417, 2.414.2
The generated report.html is not able to load its stylesheet report.css served from the same directory using the HTML Publisher plugin.
Following the suggestions from https://www.jenkins.io/doc/book/security/configuring-content-security-policy/ we were able to successfully use inline CSS after modifying the server CSP by adding 'unsafe-inline' to style-src in the Content-Security-Policy header. However we are looking for a way to apply the CSS from a static stylesheet report.css served from the same directory so that we may use the more secure default CSP setting (which can be seen in the server response below).
The report.html includes the stylesheet in the html head:
<head> <title>The Title</title> <link rel="stylesheet" href="report.css"> </head>
The report.html and report.css files are in the same directory, and both load when requested directly. However when report.html is requested, its content loads, but looking in the browser console, report.css is requested but the server responds with a 403 Forbidden.
Here are the headers in sequence:
Request:
GET /path/to/report/report.html HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Connection: keep-alive Cookie: jenkins-timestamper=system; jenkins-timestamper-local=true; screenResolution=3840x2160; jenkins-timestamper-offset=14400000; JSESSIONID.... Host: jenkins.example.com Pragma: no-cache Referer: https://jenkins.example.com/path/to/report/ Sec-Fetch-Dest: iframe Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux"
Response:
HTTP/1.1 200 OK Server: nginx Date: Tue, 30 May 2023 15:16:26 GMT Content-Type: text/html;charset=utf-8 Content-Length: 5042 Connection: keep-alive X-Content-Type-Options: nosniff Content-Security-Policy: sandbox; default-src 'none'; img-src 'self'; style-src 'self'; X-WebKit-CSP: sandbox; default-src 'none'; img-src 'self'; style-src 'self'; X-Content-Security-Policy: sandbox; default-src 'none'; img-src 'self'; style-src 'self'; Last-Modified: Tue, 30 May 2023 15:12:01 GMT Expires: Tue, 30 May 2023 15:12:01 GMT Accept-Ranges: bytes Content-Encoding: gzip
Request:
GET /path/to/report/report.css HTTP/1.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Connection: keep-alive Host: jenkins.example.com Pragma: no-cache Sec-Fetch-Dest: style Sec-Fetch-Mode: no-cors Sec-Fetch-Site: cross-site User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux"
Response:
HTTP/1.1 403 Forbidden Server: nginx Date: Tue, 30 May 2023 15:16:26 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Content-Type-Options: nosniff Set-Cookie: JSESSIONID.e6e60840=node055rgmmxlx15qojhhfap9tow0347.node0; Path=/; Secure; HttpOnly Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Hudson: 1.395 X-Jenkins: 2.346.1 X-Jenkins-Session: 7514db71 Content-Encoding: gzip
—
I am puzzled by why the client has Sec-Fetch-Site: cross-site in its request headers when requesting the CSS file. It is obviously being requested from the same site and even the same directory as the HTML file it is linked from. However I don't see anything in the prior server response that would cause the client to issue that. This same issue has been seen on both Linux and Mac running Chrome.
