Please bundle external resources with this plugin

[wwuck]

Version report

Jenkins and plugins versions report:

Jenkins: 2.289.1
OS: Linux - 4.19.0-17-amd64
---
jdk-tool:1.5
apache-httpcomponents-client-4-api:4.5.13-1.0
git-server:1.9
email-ext:2.83
jira:3.3
docker-commons:1.17
blueocean-events:1.24.7
ansicolor:1.0.0
blueocean-github-pipeline:1.24.7
oauth-credentials:0.4
pipeline-stage-step:2.5
popper2-api:2.5.4-2
blueocean-autofavorite:1.2.4
cobertura:1.16
credentials:2.5
echarts-api:5.1.2-2
pipeline-stage-view:2.19
nodelabelparameter:1.8.1
pipeline-rest-api:2.19
blueocean-commons:1.24.7
git-forensics:1.0.0
jquery3-api:3.6.0-1
jaxb:2.3.0.1
data-tables-api:1.10.25-1
jackson2-api:2.12.3
htmlpublisher:1.25
checks-api:1.7.0
junit:1.50
github:1.33.1
momentjs:1.1.1
blueocean-config:1.24.7
pipeline-stage-tags-metadata:1.8.5
docker-plugin:1.2.2
pipeline-github-lib:1.0
mapdb-api:1.0.9.0
pipeline-graph-analysis:1.11
jsch:0.1.55.2
pipeline-build-step:2.13
workflow-step-api:2.23
blueocean-i18n:1.24.7
ssh-credentials:1.19
material-theme:0.3.3
select2-api:4.0.13-5
jquery:1.12.4-1
caffeine-api:2.9.1-23.v51c4e2c879c8
workflow-multibranch:2.26
plain-credentials:1.7
dashboard-view:2.17
ldap:2.7
favorite:2.3.3
publish-over:0.22
multibranch-build-strategy-extension:1.0.10
pipeline-input-step:2.12
forensics-api:1.1.0
basic-branch-build-strategies:1.3.2
pipeline-model-api:1.8.5
snakeyaml-api:1.29.1
theme-manager:0.6
credentials-binding:1.25
python:1.3
naginator:1.18.1
warnings-ng:9.2.0
blueocean-pipeline-scm-api:1.24.7
resource-disposer:0.16
workflow-support:3.8
bootstrap4-api:4.6.0-3
matrix-project:1.19
lockable-resources:2.11
blueocean-pipeline-editor:1.24.7
analysis-model-api:10.2.5
dependency-check-jenkins-plugin:5.1.1
google-oauth-plugin:1.0.6
ws-cleanup:0.39
workflow-aggregator:2.6
config-file-provider:3.8.0
jjwt-api:0.11.2-9.c8b45b8bb173
blueocean-rest-impl:1.24.7
configuration-as-code:1.51
plugin-util-api:2.3.0
solarized-theme:0.1
blueocean-personalization:1.24.7
jenkins-design-language:1.24.7
cloudbees-bitbucket-branch-source:2.9.9
blueocean-dashboard:1.24.7
blueocean-jira:1.24.7
docker-java-api:3.1.5.2
workflow-durable-task-step:2.39
pipeline-model-extensions:1.8.5
github-branch-source:2.11.1
antisamy-markup-formatter:2.1
handy-uri-templates-2-api:2.1.8-1.0
versioncolumn:2.1
branch-api:2.6.4
jquery-detached:1.2.1
variant:1.4
pipeline-model-definition:1.8.5
blueocean-web:1.24.7
cloudbees-folder:6.15
pull-request-monitoring:1.7.5
mailer:1.34
durable-task:1.37
dark-theme:0.0.12
scm-api:2.6.4
pubsub-light:1.16
structs:1.23
blueocean-jwt:1.24.7
build-timeout:1.20
timestamper:1.13
script-security:1.77
command-launcher:1.6
blueocean-display-url:2.4.1
google-metadata-plugin:0.3.1
okhttp-api:3.14.9
workflow-job:2.41
authentication-tokens:1.4
git:4.7.2
blueocean-pipeline-api-impl:1.24.7
docker-workflow:1.26
sshd:3.0.3
handlebars:3.0.8
bootstrap5-api:5.0.1-2
bouncycastle-api:2.20
github-api:1.123
popper-api:1.16.1-2
blueocean-core-js:1.24.7
ssh-agent:1.23
blueocean-bitbucket-pipeline:1.24.7
muuri-api:0.9.4-2
sse-gateway:1.24
pam-auth:1.6
copyartifact:1.46.1
workflow-basic-steps:2.23
pipeline-milestone-step:1.3.2
envinject-api:1.7
git-client:3.7.2
token-macro:2.15
google-storage-plugin:1.5.4
external-monitor-job:1.7
workflow-scm-step:2.13
ace-editor:1.1
workflow-api:2.45
monitoring:1.87.0
display-url-api:2.3.5
workflow-cps-global-lib:2.20
workflow-cps:2.92
blueocean-rest:1.24.7
jobConfigHistory:2.27
ssh-slaves:1.32.0
code-coverage-api:1.4.0
blueocean:1.24.7
matrix-auth:2.6.7
blueocean-git-pipeline:1.24.7
envinject:2.4.0
extended-read-permission:3.2
font-awesome-api:5.15.3-3
trilead-api:1.0.13

• What Operating System are you using (both controller, and any agents involved in the problem)?

Jenkins server and client desktop: Devuan 3/Beowulf
Client browser: firefox-esr 78.11.0esr-1~deb10u1 (Package comes from Debian 10/Buster)

Reproduction steps

I have installed the latest version of pull-request-monitoring-plugin. I also have uBlock Origin installed in Firefox. When I visit the Pull Request Monitoring page for a specific PR build (eg. https://ci.example.com/job/Example/job/example/view/change-requests/job/PR-123/2/pull-request-monitoring/), it is reporting attempts to download external resources from www.jenkins.io and fonts.gstatic.com.

Results

Expected result:

I would like Jenkins to not fetch unnecessary resources from external third-party domains (ie. Google or jenkins.io). Any external resources (images, fonts, etc.) should be bundled in with the plugin so there are no UI errors when running Jenkins in a locked-down environment.

Actual result:

I can see two attempted requests for: https://www.jenkins.io/images/logos/JCasC/JCasC.png and one attempted request for: https://fonts.gstatic.com/s/materialicons/v29/2fcrYFNaTjcS6g4U3t-Y5ZjZjT5FdEJ140U2DJYC3mY.woff2

and JS console errors for:

Request to access cookie or storage on “https://www.jenkins.io/images/logos/JCasC/JCasC.png” was blocked because we are blocking all third-party storage access requests and content blocking is enabled.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://fonts.gstatic.com/s/materialicons/v29/2fcrYFNaTjcS6g4U3t-Y5ZjZjT5FdEJ140U2DJYC3mY.woff2. (Reason: CORS request did not succeed).

I can also see occasional random errors for downloading css resources in the Firefox web developer tools. eg. https://ci.example.com/static/34ca5e6c/css/responsive-grid.css shows SSL_ERROR_INTERNAL_ERROR_ALERT in Firefox->Web Developer->Network->Security tab

[simonsymhoven]

Thanks for this hint! the css/respsonsive-grid.css is delivered by bootstrap I think but I am not sure. I am investigating this right now..

[simonsymhoven]

@uhafner Do you know, where this file is comming from? I am not sure if there is anything I can do here.

[uhafner]

css/respsonsive-grid.css is part of Jenkins core (a modified copy of Boostrap 3).