New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
JGiven Reports in Jenkins not visible with Content Security Policy #176
Comments
The JGiven HTML report heavily relies on Javascript. There has been an older report some versions ago that was more static, but even that one used Javascript. However, if this turns out to be a major blocking issue to use JGiven on Jenkins, one might think of writing a simple HTML report that does not use Javascript at all. |
@wolfs what is your opinion about this? |
I haven't used the Jenkins security policy yet, but it seems that you can configure certain exceptions from the strict rules for certain plugins. Maybe you can convince your company to relax the rules for the JGiven plugin? |
With the default content security policy in place you will not be able to see the html5 report. If you want to see it in Jenkins you will need to relax the content security policy. |
Hi, yes, I am also trying to have the Jenkins configured so that the reports work again. I just wanted to give you a heads up, because this might not be an option for everyone ... and I thought it safer to tackle this issue from both sides ;-) Best regards, mgehlen |
Yes, definitely. Thanks for reporting this issue. |
This has been the case for us recently as well. Unfortunately, the only option is indeed to download the report ZIP. It is documented at Jenkins. However, I think that it would be a better practice if also JGiven generates reports that are compliant with Content Security Policy. |
If you have some apache on the server hosting your jenkins, you can use to create an Alias to the jgiven report directory. |
To see the JGiven report, you have to relax the Content Security Policy. The following setting worked for me:
The difference to the default setting is:
The default setting of Jenkins completely forbids JavaScript and even the usage of font-files. That is very strict. For sure, it would be possible to create a JGiven report that follows this, but that would have to be completely written from scratch, as the current report is heavily based on Javascript. It would also lose a large amount of its interactivity, like the search functionality, for example. Do you think that such a report would still be useful? |
Where do you put that "System.setProperty" ? I tried running as:
but it didn't work. I think I'm having the same problem. I run from a local jenkins instance.
any further ideas? Thanks |
This should actually be the correct way of setting the property. You can try to completely disable the CSP rules and check whether this works (directly taken from the Jenkins docs):
|
Solved, it was my browser being picky because I was testing the plugin in a local Jenkins instance and there were XSS issues because of it being accessed via localhost |
Ah yes, I forgot to say that you have to clear your Browser cache :-) |
so we relaxed the Jenkins Security settings and updated jGiven to 0.11.2 now everything is working fine again in a quite complex Jenkins Master Slave environment for Mobile Apps for iOS and Android. |
Great to hear! |
I mark this issue now as wontfix, because I currently don't think that there will be a Javascript-free report in the near future for JGiven. |
Hi, I am very new to jenkins. @albertofaci can you please teach me on how to relax the jenkins security? . I need an elaborate way. My OS is MAC. Please help! |
@hemanthsridhar you add this parameter in the startup command |
In my browser console I am getting the following:
|
Hi All, I tried to re start the Jenkins, using below command, However, I see below warning on the console: WARNING: Found invalid crumb 9470cbdff44fcc09dd61b6ee6a68d95e. Will check remaining parameters for a valid one... |
I think it is worth mentioning that "allow-forms" is also required to get the search box working again. |
Hi,
we have integrated JGiven into our builds and everyone really loves the reports. 馃憤
"Unfortunately" the Jenkins in our company has been updated and now enforces Jenkins Content Security Policy quite strictly, see here: https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy
Since this I cannot watch the JGiven Reports on our Jenkins, neither with the JGiven Plugin nor with the HTML Publisher Plugin on version 1.10. Both worked before.
So I think what it comes down too is this:
Am i correct?
Is there any chance this can be adjusted in the report or the JGiven-Plugin?
Thank you very much,
mgehlen
The text was updated successfully, but these errors were encountered: