[JIRA] [htmlpublisher-plugin] (JENKINS-33653) HTML Publisher artifact does not load js script

251 views
Skip to first unread message

vasile.pop@gmail.com (JIRA)

unread,
Mar 18, 2016, 11:15:01 AM3/18/16
to jenkinsc...@googlegroups.com
Vasile Pop created an issue
 
Jenkins / Bug JENKINS-33653
HTML Publisher artifact does not load js script
Issue Type: Bug Bug
Assignee: mcrooney
Components: htmlpublisher-plugin
Created: 2016/Mar/18 3:14 PM
Environment: Jenkins Version 1.651
HTML Publisher plugin: 1:11
OS: Windows 7 64 bits
Labels: CSP security
Priority: Major Major
Reporter: Vasile Pop

Current Jenkins CSP settings:
Result: sandbox; default-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';

However, when trying to access some TestNG/ReportNG generated reports, the console shows the error message below. Basically I cannot expand a Java StackTrace, because this requires a small javascript to run. Hard to say if this is a plugin issue or jenkins issue..

Refused to load the script 'http://

{my.domain}

:8080/job/Web%20check%20-%20PRODUCTION/115/HTMLReport/reportng.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'".
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
Atlassian logo

mcrooney@java.net (JIRA)

unread,
Mar 19, 2016, 3:04:01 PM3/19/16
to jenkinsc...@googlegroups.com
mcrooney commented on Bug JENKINS-33653
 
Re: HTML Publisher artifact does not load js script

Thanks for the report! Daniel Beck, any thoughts on this?

dbeck@cloudbees.com (JIRA)

unread,
Mar 20, 2016, 2:12:03 PM3/20/16
to jenkinsc...@googlegroups.com

My best guess is the CSP settings were adapted to make this work, and then the cache-bypassing browser reload was forgotten.

vasile.pop@gmail.com (JIRA)

unread,
Mar 20, 2016, 2:55:01 PM3/20/16
to jenkinsc...@googlegroups.com

I tried reloading the page several times using Shift + F5, this should clear the cache, right? It did not work.

dbeck@cloudbees.com (JIRA)

unread,
Mar 20, 2016, 4:10:02 PM3/20/16
to jenkinsc...@googlegroups.com

What's the CSP header value returned from Jenkins? What's the output of System.getProperty("hudson.model.DirectoryBrowserSupport.CSP") in the script console?

vasile.pop@gmail.com (JIRA)

unread,
Mar 21, 2016, 4:49:02 AM3/21/16
to jenkinsc...@googlegroups.com

Result: sandbox; default-src 'self'; script-src 'unsafe-inline'

When I logged the issue it was:

Result: sandbox; default-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';

dbeck@cloudbees.com (JIRA)

unread,
Mar 21, 2016, 7:52:03 AM3/21/16
to jenkinsc...@googlegroups.com

These options need to be persisted in the startup scripts to survive a Jenkins restart. But set it again to the value you want and reload to make sure it works as expected.

vasile.pop@gmail.com (JIRA)

unread,
Mar 21, 2016, 8:11:02 AM3/21/16
to jenkinsc...@googlegroups.com

That's exactly what I did. Jenkins starts as a service configured as described. And it worked until a week ago, unfortunately I don't know what event made this not working anymore. Even if I configure this option for the current instance, it's not working.

dbeck@cloudbees.com (JIRA)

unread,
Mar 21, 2016, 8:34:03 AM3/21/16
to jenkinsc...@googlegroups.com

To clarify, you set System.setProperty(…) in the script console, and the subsequent System.getProperty(…) returns the old value you replaced?

Please provide the full output on the /systemInfo URL.

vasile.pop@gmail.com (JIRA)

unread,
Mar 21, 2016, 8:46:02 AM3/21/16
to jenkinsc...@googlegroups.com
Vasile Pop updated an issue
 
Change By: Vasile Pop
Attachment: System Information [Jenkins].pdf

vasile.pop@gmail.com (JIRA)

unread,
Mar 21, 2016, 8:46:04 AM3/21/16
to jenkinsc...@googlegroups.com
Vasile Pop commented on Bug JENKINS-33653
 
Re: HTML Publisher artifact does not load js script

Yes sir, for the first question.
Second requests, please see the attached PDF file.

dbeck@cloudbees.com (JIRA)

unread,
Mar 21, 2016, 9:31:03 AM3/21/16
to jenkinsc...@googlegroups.com

System properties are not immutable, and the output clearly shows the shortened one. Something is very weird here. As I have no insight in what you're doing, please run a sequence of script console commands, and paste then and their output here. Run only one line at a time, and record it's output.

println System.getProperty("hudson.model.DirectoryBrowserSupport.CSP")
System.clearProperty("hudson.model.DirectoryBrowserSupport.CSP")
println System.getProperty("hudson.model.DirectoryBrowserSupport.CSP")
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "")
println System.getProperty("hudson.model.DirectoryBrowserSupport.CSP")
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox; default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';")
println System.getProperty("hudson.model.DirectoryBrowserSupport.CSP")

Since you're using HTML Publisher, the original problem may be a case of the reload only targeting the wrapper file, and then loading your own content HTML from cache. So make sure to open your HTML file fully before reloading.

vasile.pop@gmail.com (JIRA)

unread,
Mar 21, 2016, 9:51:01 AM3/21/16
to jenkinsc...@googlegroups.com

The results are
_Result: sandbox; default-src 'self'; script-src 'unsafe-inline'


Result: sandbox; default-src 'self'; script-src 'unsafe-inline'

Result: null
Result:
Result:
Result:
Result: sandbox; default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';_

Now the HTML report is a bit worse, due to the error displayed below in JS console:

suites.html:1 Blocked script execution in 'http://bftsieg002.ger.corp.intel.com:8080/job/Web%20tests%20-%20Full%20suite%20-%20Staging/142/HTML_Report/suites.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

vasile.pop@gmail.com (JIRA)

unread,
Mar 21, 2016, 9:53:03 AM3/21/16
to jenkinsc...@googlegroups.com
Vasile Pop edited a comment on Bug JENKINS-33653
The results are
_Result: sandbox; default-src 'self'; script-src 'unsafe-inline'
Result: sandbox; default-src 'self'; script-src 'unsafe-inline'
Result: null
Result: 
Result: 
Result: 
Result: sandbox; default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';_

Now the HTML report is a bit worse  in CHROME , due to the error displayed below in JS console:

{color:red}suites.html:1 Blocked script execution in 'http://bftsieg002.ger.corp.intel.com:8080/job/Web%20tests%20-%20Full%20suite%20-%20Staging/142/HTML_Report/suites.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.{color}

The very weird thing is that it seems to work great in Firefox...

dbeck@cloudbees.com (JIRA)

unread,
Mar 21, 2016, 11:24:02 AM3/21/16
to jenkinsc...@googlegroups.com

Firefox does not support the sandbox directive. Remove it to make it work in Chrome.

vasile.pop@gmail.com (JIRA)

unread,
Mar 22, 2016, 5:56:03 AM3/22/16
to jenkinsc...@googlegroups.com

For some reason,
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';")
works fine now on Chrome as well, I do not see any JS console errors anymore. We can close the issue, most likely my configuration was not correct.

Thanks for the help!

dbeck@cloudbees.com (JIRA)

unread,
Mar 22, 2016, 6:22:02 AM3/22/16
to jenkinsc...@googlegroups.com

Well, you removed the "sandbox" part

dbeck@cloudbees.com (JIRA)

unread,
Mar 22, 2016, 6:22:02 AM3/22/16
to jenkinsc...@googlegroups.com
Daniel Beck edited a comment on Bug JENKINS-33653
Well, you removed the "sandbox" part ;-)

bq. because the document's frame is *sandboxed* and the 'allow-scripts' permission is not set.

dbeck@cloudbees.com (JIRA)

unread,
Mar 22, 2016, 6:23:02 AM3/22/16
to jenkinsc...@googlegroups.com
Daniel Beck resolved as Not A Defect
 

Configuration issue.
Change By: Daniel Beck
Status: Open Resolved
Resolution: Not A Defect
Reply all
Reply to author
Forward
0 new messages