Jenkins Content Security Policy and Concordion

1,981 views
Skip to first unread message

Nigel Charman

unread,
Jan 15, 2016, 6:42:04 PM1/15/16
to conco...@googlegroups.com

We've had an issue reported (#151) that Concordion reports are no longer viewable in Jenkins, with an error " Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'"."

If anyone has already fixed this would you please add a comment to the issue #151.

Here's the research I've added to the issue:

This is due to a new Content Security Policy which Jenkins has introduced:

Jenkins 1.641 / Jenkins 1.625.3 introduce the Content-Security-Policy header to static files served by Jenkins (specifically, DirectoryBrowserSupport). This header is set to a very restrictive default set of permissions to protect Jenkins users from malicious HTML/JS files in workspaces, /userContent, or archived artifacts.

Unfortunately, several popular, useful plugins are affected by this and lose part of their functionality unless the default rules are relaxed.

This rule set results in the following:

No JavaScript allowed at all
No plugins (object/embed) allowed
No inline CSS, or CSS from other sites allowed
...

In order to modify the policy, you will need to set the system property hudson.model.DirectoryBrowserSupport.CSP as documented in the article linked to above.

Since Concordion reports use inline CSS and Javascript, it appears you will need to add script-src 'unsafe-inline' and style-src 'unsafe-inline'.

With the default settings for Jenkins currently being sandbox; default-src 'none'; img-src 'self'; style-src 'self';, I'd suggest setting the property to sandbox; default-src 'none'; img-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';

Please reply as to whether this works and we will add it to our documentation.

Also, as per the above article, please make sure your HTML Publisher plugin is v1.10 or later.

cheers
Nigel


Tim Wright

unread,
Jan 21, 2016, 10:10:57 PM1/21/16
to Nigel Charman, conco...@googlegroups.com

We just upgraded our jenkins server and now have this problem. Will investigate.

--
You received this message because you are subscribed to the Google Groups "concordion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to concordion+...@googlegroups.com.
To post to this group, send email to conco...@googlegroups.com.
Visit this group at https://groups.google.com/group/concordion.
To view this discussion on the web, visit https://groups.google.com/d/msgid/concordion/569983C6.8090803%40gmail.com.
For more options, visit https://groups.google.com/d/optout.



--
Tim
021 251 5593

Tim Wright

unread,
Jan 21, 2016, 10:15:15 PM1/21/16
to Nigel Charman, conco...@googlegroups.com

Confirmed that setting the property in the Script Console worked:

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox; default-src 'none'; img-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';");

Now I have to figure out how to set it automatically.

Tim

Tim Wright

unread,
Jan 21, 2016, 10:34:59 PM1/21/16
to Nigel Charman, conco...@googlegroups.com

Hi all,

I have figured out how to set it permanently on a linux box.

Basically, change the JAVA_OPTS variable in /etc/defaults/jenkins

My one now looks like this - note the escaped quotation marks because there are spaces in the variable value:

JAVA_ARGS="-Djava.awt.headless=true \"-Dhudson.model.DirectoryBrowserSupport.CSP=sandbox; default-src 'none'; img-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';\""

Tim


Nigel Charman

unread,
Jan 23, 2016, 11:17:10 PM1/23/16
to Tim Wright, conco...@googlegroups.com
Thanks Tim, I've now documented this at http://concordion.org/Questions.html#jenkins.

Nigel Charman

unread,
Jan 28, 2016, 5:07:41 AM1/28/16
to concordion, t...@tfwright.co.nz
The escaped quotes appear to be in the wrong place in Tim's post. It seems they should be:

    JAVA_ARGS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox; default-src 'none'; img-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';\""

While this shows the Concordion styling, the javascript code isn't working on the View Stack button, or when hovering over a failing test with the Screenshot extension. I've tried the following to no avail:

    JAVA_ARGS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=\" sandbox; default-src 'none'; img-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; script-src 'unsafe-inline';\""

The behaviour also varies across browsers. With Firefox 43, everything works OK. With Chrome 47 and 48, the javascript code isn't working.

I'm keen to know if anyone has this working or has time to look at it in more detail? There may be some changes we can make to the way we use CSS and Javascript to alleviate the need for overriding the Content Security Policy.

Nigel.

Nigel Charman

unread,
Jan 28, 2016, 5:27:56 AM1/28/16
to conco...@googlegroups.com
There's some good discussion on the Cucumber Reports plugin issue list about this - https://github.com/jenkinsci/cucumber-reports-plugin/issues/7.

I've reopened our issue #151 for further discussion.
--
You received this message because you are subscribed to the Google Groups "concordion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to concordion+...@googlegroups.com.
To post to this group, send email to conco...@googlegroups.com.
Visit this group at https://groups.google.com/group/concordion.

Qiang Fu

unread,
Mar 3, 2017, 2:36:53 AM3/3/17
to concordion
I solved this problem by setting jenkins property as follow with Script Console: 

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox; default-src 'none'; img-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; script-src 'unsafe-inline';")



在 2016年1月28日星期四 UTC+8下午6:27:56,Nigel Charman写道:
Reply all
Reply to author
Forward
0 new messages