-
-
Notifications
You must be signed in to change notification settings - Fork 283
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove inline styles and scripts for better Jenkins CSP compliance #35
Comments
I will have a look at this. But it may take some time |
Thanks! For what it's worth, I had to set a variety of CSP settings to allow Jenkins to display ReportGenerator content properly:
The |
I took a quick look. Jenkins is very restrictive. |
Yeah, defining 100 different CSS classes for 1-100px widths does seem unappealing, although that does seem to be the only non-JS way to get around an inline style prohibition. Some more info on the dangers of inline styles is here: http://stackoverflow.com/a/31759553/466874. |
I started working on this issue. I think I can provide a new release in the next days. |
Thanks Daniel. I really appreciate it. |
Could you please test this release: https://www.nuget.org/packages/ReportGenerator/2.4.0-beta2 With the default Jenkins settings ("sandbox; default-src 'self';") you should see a correctly formatted static report. If you enable scripts with the following command, all dynamic features should work:
Let me know if something is not working yet. |
I just tested it after resetting the Jenkins CSP to its default, and the report renders correctly as a static document (with green/red bars of the proper widths). I then adjusted the CSP to the setting you'd suggested, and it rendered properly with all the usual dynamic controls (expand/collapse and the Grouping slider). It works perfectly. Thank you! |
Great. Thanks for your input and help. |
Jenkins 1.641 / Jenkins 1.625.3 LTS introduced a new Content Security Policy with a very restrictive default (described at https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy#ConfiguringContentSecurityPolicy-Implementation). This breaks the coverage reports generated by ReportGenerator in several ways. Adjusting Jenkins' CSP to allow ReportGenerator's "combined.js" file might be reasonable (via script-src 'self'), but allowing the inline JavaScript and inline style attributes (via script-src 'unsafe-inline' and style-src 'unsafe-inline') that ReportGenerator uses would open too much of a gap in the intended CSP security model.
Could you move the (generated) inline JavaScript into a separate .js file, and define the % widths as classes in a separate stylesheet file (or set the style attributes in a function in the .js file), so that no inline scripts or styles are needed?
The text was updated successfully, but these errors were encountered: