JGiven Reports in Jenkins not visible with Content Security Policy

[mgehlen]

Hi,

we have integrated JGiven into our builds and everyone really loves the reports. 👍

"Unfortunately" the Jenkins in our company has been updated and now enforces Jenkins Content Security Policy quite strictly, see here: https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

Since this I cannot watch the JGiven Reports on our Jenkins, neither with the JGiven Plugin nor with the HTML Publisher Plugin on version 1.10. Both worked before.

So I think what it comes down too is this:

From version 1.10 on, the HTML Publisher Plugin is compatible with Content Security Policy. Before that, it executed inline JavaScript in a file served by DirectoryBrowserSupport to set up the frame wrapper around the published files and would fail unless script-src 'unsafe-inline' was allowed, which is a possible security issue.

If the published HTML files require JavaScript or other dynamic features prohibited by Content Security Policy to work properly, the Content-Security-Policy header will need to be adjusted accordingly. This applies to all versions of HTML Publisher Plugin.

Am i correct?
Is there any chance this can be adjusted in the report or the JGiven-Plugin?

Thank you very much,

mgehlen

[janschaefer]

The JGiven HTML report heavily relies on Javascript. There has been an older report some versions ago that was more static, but even that one used Javascript. However, if this turns out to be a major blocking issue to use JGiven on Jenkins, one might think of writing a simple HTML report that does not use Javascript at all.

[janschaefer]

@wolfs what is your opinion about this?

[janschaefer]

I haven't used the Jenkins security policy yet, but it seems that you can configure certain exceptions from the strict rules for certain plugins. Maybe you can convince your company to relax the rules for the JGiven plugin?

[wolfs]

With the default content security policy in place you will not be able to see the html5 report. If you want to see it in Jenkins you will need to relax the content security policy.
You can still download the report as a zip file and then see it on your local machine.

[mgehlen]

Hi,

yes, I am also trying to have the Jenkins configured so that the reports work again. I just wanted to give you a heads up, because this might not be an option for everyone ... and I thought it safer to tackle this issue from both sides ;-)

Best regards,

mgehlen

[janschaefer]

Yes, definitely. Thanks for reporting this issue.

[nobeh]

This has been the case for us recently as well. Unfortunately, the only option is indeed to download the report ZIP. It is documented at Jenkins. However, I think that it would be a better practice if also JGiven generates reports that are compliant with Content Security Policy.

[mthuret]

If you have some apache on the server hosting your jenkins, you can use to create an Alias to the jgiven report directory.

[janschaefer]

To see the JGiven report, you have to relax the Content Security Policy. The following setting worked for me:

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts allow-same-origin; default-src 'none'; img-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; font-src 'self'");

The difference to the default setting is:

• enable Javascript, but Javascript files can only be loaded from 'self'. There is currently no way the report will work without this setting.
• allow inline CSS (why should that be even a security risk?). I might be able to fix that, but that might be a lot of work
• allow to load font-files from 'self'. Without this setting the report still works, but some characters cannot be shown correctly.
• enable allow-same-origin. As far as I see, this is only needed for the bookmarking feature, so I could maybe fix the report to still work if this is not set.

The default setting of Jenkins completely forbids JavaScript and even the usage of font-files. That is very strict. For sure, it would be possible to create a JGiven report that follows this, but that would have to be completely written from scratch, as the current report is heavily based on Javascript. It would also lose a large amount of its interactivity, like the search functionality, for example. Do you think that such a report would still be useful?

[albertofaci]

Where do you put that "System.setProperty" ?

I tried running as:

java -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-scripts allow-same-origin; default-src 'none'; img-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; font-src 'self'" -jar jenkins.war

but it didn't work.

I think I'm having the same problem. I run from a local jenkins instance.

Blocked script execution in 'http://localhost:8080/job/..../8/jgiven/report/html/index.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

any further ideas? Thanks

[janschaefer]

This should actually be the correct way of setting the property. You can try to completely disable the CSP rules and check whether this works (directly taken from the Jenkins docs):

java -Dhudson.model.DirectoryBrowserSupport.CSP= -jar jenkins.war

[albertofaci]

Solved, it was my browser being picky because I was testing the plugin in a local Jenkins instance and there were XSS issues because of it being accessed via localhost
It works fine now, thanks :)

[janschaefer]

Ah yes, I forgot to say that you have to clear your Browser cache :-)

[mgehlen]

so we relaxed the Jenkins Security settings and updated jGiven to 0.11.2 now everything is working fine again in a quite complex Jenkins Master Slave environment for Mobile Apps for iOS and Android.

[janschaefer]

Great to hear!

[janschaefer]

I mark this issue now as wontfix, because I currently don't think that there will be a Javascript-free report in the near future for JGiven.

[hemanthsridhar]

Hi, I am very new to jenkins. @albertofaci can you please teach me on how to relax the jenkins security? . I need an elaborate way. My OS is MAC. Please help!

[albertofaci]

@hemanthsridhar you add this parameter in the startup command
-Dhudson.model.DirectoryBrowserSupport.CSP= (see a few comments above)
In my case it was a firewall problem if I recall correctly

[adrian-herscu]

In my browser console I am getting the following:

Blocked script execution in 'https://our.jenkins.com/job/our-project/job/our-job/HTML_Report/index.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
index.html:234 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-hFiNVOO90j8PzUL0Dc7twup4qFNWIrHSZ0T2P2ya4zo='), or a nonce ('nonce-...') is required to enable inline execution.

index.html:582 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-t6oewASd7J1vBg5mQtX4hl8bg8FeegYFM3scKLIhYUc='), or a nonce ('nonce-...') is required to enable inline execution.

index.html:640 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-VkWHRw+yp9rsTHLHbAzcZgd1UtRfLYwbYFvHuZSRoJ0='), or a nonce ('nonce-...') is required to enable inline execution.

28index.html:1 Blocked script execution in 'https://our.jenkins.com/job/our-project/job/our-job/HTML_Report/index.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
jquery-1.11.1.min.js:3 Blocked script execution in 'https://our.jenkins.com/job/our-project/job/our-job/HTML_Report/index.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
(anonymous) @ jquery-1.11.1.min.js:3
(anonymous) @ jquery-1.11.1.min.js:3
(anonymous) @ jquery-1.11.1.min.js:2
(anonymous) @ jquery-1.11.1.min.js:2
index.html:1 Access to Font at 'https://our.jenkins.com/job/our-project/job/our-job/HTML_Report/fonts/fontawesome-webfont.woff?v=4.2.0' from origin 'null' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. The response had HTTP status code 404.
index.html:1 Access to Font at 'https://our.jenkins.com/job/our-project/job/our-job/HTML_Report/fonts/fontawesome-webfont.ttf?v=4.2.0' from origin 'null' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. The response had HTTP status code 404.

[DanielFMascarenhas]

Hi All, I tried to re start the Jenkins, using below command,
java -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-scripts allow-same-origin; default-src 'none'; img-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; font-src 'self'" -jar jenkins.war

However, I see below warning on the console: WARNING: Found invalid crumb 9470cbdff44fcc09dd61b6ee6a68d95e. Will check remaining parameters for a valid one...
& also, I am unable to login to the Jenkins server using my admin credentials.

[nikowitt]

I think it is worth mentioning that "allow-forms" is also required to get the search box working again.