CODEWITHSUNDEEP
jenkinscontent-security-policy
BJ Kim
BJ Kim

Reputation: 133

Jenkins HTML Publisher Plugin : allow script permission issue

I'm trying to report my .html file with HTML publisher plugin in Jenkins however,since HTML publisher is updated to version 1.10, can't publish HTML.

Error message I'm getting:

Blocked script execution in '{mydomain}' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

Uncaught SecurityError: Failed to read the 'localStorage' property from 'Window': The document is sandboxed and lacks the 'allow-same-origin' flag.

I found this doc: https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

It tells about CSP.

I run Jenkins with arg : 

/usr/bin/java -Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=sandbox allow-scripts; style-src 'unsafe-inline' *;script-src 'unsafe-inline' *; -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080 --ajp13Port=-1

but still got same error above.

what i tried args : 

 1. -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox; default-src 'self';"
 2. -Dhudson.model.DirectoryBrowserSupport.CSP=
 3. -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox; default-src *;"
 4. -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-scripts; default-src *;"

.html is located in : 

{mydomain}/job/{job_name}/Doc/index.html

Upvotes: 13

Views: 16442

Answers (3)

Yub Raj
Yub Raj

Reputation: 49

For me above didn't work;

I tried this

Manage Jenkins -> Script Console Copy-paste this

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "")

For permanent solution: Add the following to JAVA_ARGS under /etc/default/jenkins:

-Dhudson.model.DirectoryBrowserSupport.CSP=""

Upvotes: 2

Bilbo Baggins
Bilbo Baggins

Reputation: 3019

I faced similar issue I found and applied following solution:

Steps:

  1. Go to the Jenkins Admin page (login as admin).
  2. Go to Manage Jenkins -> Script Console
  3. Then in the script console copy paste following it made it work

Snippet: System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts; default-src *; style-src * http://* 'unsafe-inline' 'unsafe-eval'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'");

This link provides more details on each of the parameters that we have set in the above code line.

Note for Persistency in jenkins configuration: @RayKim mentioned this is not a sustainable change. If you want to keep this change permanently then in that case you should set this property values up in the JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Dhudson.remoting.Launcher.pingIntervalSec=0"

After setting this variable you have to restart your Jenkins to load the new configuration.

Upvotes: 21

Bruno Lavit
Bruno Lavit

Reputation: 10382

Can you have a try with a blank CSP option?

/usr/bin/java -Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP= -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080 --ajp13Port=-1

On my Jenkins instance, it solved my reporting issues.

I know it's not a safe option, but I didn't find another solution :(

Upvotes: 10

Related Questions