Jenkins Content Security Policy and jQuery for HTML reports

Brice Parmentier

unread,

Mar 15, 2016, 4:14:04 AM3/15/16

to Jenkins Users

Hi,

I'm using Jenkins to launch a build and test sequence.

For my tests I use the FitNesse tool (at http://www.fitnesse.org), which can generate HTML reports.

Those HTML reports have links to local scripts like the jQuery library (it does not go online to load the library, it is embedded on the tool).

Since recent version of Jenkins I noticed that I had to set the value of "hudson.model.DirectoryBrowserSupport.CSP" to something containing "script-src 'unsafe-inline';".

But this, in my case, only allow embedded scripts to execute, it does not allow to load external Javascript files like this jQuery library for example. So that all buttons actions, hide/show divs actions, does not work at all. Si if I want to see my HTML reports, I can't do it from the Jenkins web interface, I have to download my artifacts locally and open the HTML page on my pc.

I tried lots of combinations for the CSP parameter, but nothing works.

As an example, the screenshot attached shows the console output when I open the HTML report from the web interface.

Does anybody have an explanation of this behaviour, and eventually a fix ?

Thanks !

ReferenceError.png

Steffen Breitbach

unread,

Mar 15, 2016, 4:16:10 AM3/15/16

to jenkins...@googlegroups.com

Hi Brice,

try this https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

Cheers

Steffen

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/13027f3e-3cb1-4f86-b5b3-be2526ec3d84%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Brice Parmentier

unread,

Mar 15, 2016, 4:18:37 AM3/15/16

to Jenkins Users

Thanks Steffen for your quick answer, but I've already tried all that is on this page... :/
That is where I found to use "script-src 'unsafe-inline';"...

Cheers !

Daniel Beck

unread,

Mar 15, 2016, 2:39:51 PM3/15/16

to jenkins...@googlegroups.com

On 15.03.2016, at 09:18, Brice Parmentier <bricepar...@gmail.com> wrote:

> That is where I found to use "script-src 'unsafe-inline';"...

You need to add _all_ legal sources to the list. See the examples on the wiki page, particularly the Maven Integration Plugin one.

In this case, "'unsafe-inline' 'self'" will probably do the trick.

Brice Parmentier

unread,

Mar 16, 2016, 4:31:34 AM3/16/16

to Jenkins Users, m...@beckweb.net

Yeeeeeeees ! It works !
I thought I will have to tear out my hair !

Thanks a lot Daniel !!!

Reply all

Reply to author

Forward