Open deepujain opened 8 years ago
I am able to see code coverage reports on local machine (via index.html) but it does not show up on Jenkins. click no Scoverage HTML Report shows up a blank page.
I had a similar problem. By loading the Development tool in my browser i found that the content was disabled due to the Content-Security-Policy header sent by Jenkins. See Jenkins wiki for details. https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy
I got it working with the following header: upgrade-insecure-requests; default-src 'self' http://ajax.googleapis.com 'sha256-mp+EOTi7PD8ouIeZyvVpn8Wh8g+tBzyRxDcSIUbYHO8=' https://cdnjs.cloudflare.com http://cdnjs.cloudflare.com http://netdna.bootstrapcdn.com http://yui.yahooapis.com; img-src 'self' data: ; style-src 'self' 'unsafe-inline' http://yui.yahooapis.com https://cdnjs.cloudflare.com http://netdna.bootstrapcdn.com
Can you check with your browser's developer tools (e.g. Firebug in Firefox) what kind of errors it shows?
Chrome - Developer Tools - JS Console
When you say got it working with header , what exactly did you do ? (steps are appreciated) and does this needs to be done by every client browser ?
It looks like the quickest fix would be setting the property as @kasper-f mentioned along with Jenkins start.
Where do i set that header ?
In the Jenkins start script, set properties like java -Dhudson.model.DirectoryBrowserSupport.CSP= -jar jenkins.war, it's also documented in https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy.
java -Dhudson.model.DirectoryBrowserSupport.CSP=upgrade-insecure-requests; default-src 'self' http://ajax.googleapis.com 'sha256-mp+EOTi7PD8ouIeZyvVpn8Wh8g+tBzyRxDcSIUbYHO8=' https://cdnjs.cloudflare.com http://cdnjs.cloudflare.com http://netdna.bootstrapcdn.com http://yui.yahooapis.com; img-src 'self' data: ; style-src 'self' 'unsafe-inline'http://yui.yahooapis.com https://cdnjs.cloudflare.com http://netdna.bootstrapcdn.com -jar jenkins.war
Is this correct ?
On Tue, Jun 7, 2016 at 3:18 PM, Shanbin Wang notifications@github.com wrote:
In the Jenkins start script, set properties like java -Dhudson.model.DirectoryBrowserSupport.CSP= -jar jenkins.war, it's also documented in https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy .
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/shanbin/scoverage-plugin/issues/15#issuecomment-224432014, or mute the thread https://github.com/notifications/unsubscribe/AAY0-Z3l-tWF-7mxh-gItp8t79QFf1stks5qJe5JgaJpZM4IoB3V .
Deepak
Works but
Command:
nohup java -Dhudson.model.DirectoryBrowserSupport.CSP="upgrade-insecure-requests; default-src 'self' http://ajax.googleapis.com 'sha256-mp+EOTi7PD8ouIeZyvVpn8Wh8g+tBzyRxDcSIUbYHO8=' https://cdnjs.cloudflare.com http://cdnjs.cloudflare.com http://netdna.bootstrapcdn.com http://yui.yahooapis.com; img-src 'self' data: ; style-src 'self' 'unsafe-inline'http://yui.yahooapis.com https://cdnjs.cloudflare.com http://netdna.bootstrapcdn.com" -jar jenkins.war &
In version 1.2.0-SNAPSHOT
all external css and js files are accessed using https protocol (see this PR and this commit).
Can you try with 1.2.0-SNAPSHOT
?
@deepujain wrote, it fails for him too, but I'm curious, if it's better, than 1.1.1
(how many and what exactly errors left).
I've tested this problem myself. My conclusions:
Making Plugins Work
section.hudson.model.DirectoryBrowserSupport.CSP
property values:
a) -Dhudson.model.DirectoryBrowserSupport.CSP=
- disables all security restrictions
b) -Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self' 'unsafe-inline' https: data:"
- reasonable simple and secure value (all possible options here).Are you suggesting to move to 1.2.0-SNAPSHOT with Jenkins 2.8 and then i do not have to
Basically get all the older features to work again ?
On Wed, Jun 8, 2016 at 4:10 AM, Grzegorz Slowikowski < notifications@github.com> wrote:
I've tested this problem myself. My conclusions:
1.
There should be some info about this problem and how to properly configure server in Scoverage Jenkins plugin documentation or here https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy in Making Plugins Work section. 2.
Simplest, working hudson.model.DirectoryBrowserSupport.CSP property values: a) -Dhudson.model.DirectoryBrowserSupport.CSP= - disables all security restrictions b) -Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self' 'unsafe-inline' https: data:" - reasonable simple and secure value (all possible options here http://content-security-policy.com/).
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/shanbin/scoverage-plugin/issues/15#issuecomment-224558717, or mute the thread https://github.com/notifications/unsubscribe/AAY0-Xp2eWT5lXXZ0uwSCicXxe6RcFnTks5qJqMYgaJpZM4IoB3V .
Deepak
No. I'm sorry, I was wrong. I didn't know about this Jenkins Content Security Policy. Tested it just yesterday. My findings are in my previous comment.
Anyway, using unsecure http
links to external css, js, etc. files, when the page is accessed using secure https
protocol causes similar problems, but this is different problem.
Is there is a defect that needs a fix ?
On Wed, Jun 8, 2016 at 10:45 PM, Grzegorz Slowikowski < notifications@github.com> wrote:
No. I'm sorry, I was wrong. I didn't know about this Jenkins Content Security Policy https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy. Tested it just yesterday. My findings are in my previous comment.
Anyway, using unsecure http links to external css, js, etc. files, when the page is accessed using secure https protocol causes similar problems, but this is different problem.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/shanbin/scoverage-plugin/issues/15#issuecomment-224805374, or mute the thread https://github.com/notifications/unsubscribe/AAY0-Y3nByBh4TP0hBjnLrUp6ifw5fGeks5qJ6iNgaJpZM4IoB3V .
Deepak
No
What do i do to get back those CSS to work with Jenkins 2.8
I have enabled the flag to highlight code with red/green if its covered or not and the coverage column was getting populated with bars. Also overall the fonts seems to be not coming from any CSS as they look different.
[image: Inline image 1][image: Inline image 2]
I hope you understood what the problem is.
On Thu, Jun 9, 2016 at 7:57 AM, Grzegorz Slowikowski < notifications@github.com> wrote:
No
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/shanbin/scoverage-plugin/issues/15#issuecomment-224921841, or mute the thread https://github.com/notifications/unsubscribe/AAY0-QxQ7r-oip_sadYdz6vTCmyEdhdhks5qKCn1gaJpZM4IoB3V .
Deepak
I don't see any attached images. You can send them to me directly.
Did you try turning content security policy completely off with -Dhudson.model.DirectoryBrowserSupport.CSP=
?
The green/red bars are styled by inline css, so you at least need to add 'unsafe-inline'
to style-src
. Fonts - I don't know, I would like to see your screenshots first. Anyway, try with CSP turned off first.
Can you send me your email id, i can share you the images.
I start hudson
nohup java -Dhudson.model.DirectoryBrowserSupport.CSP="upgrade-insecure-requests; default-src 'self' http://ajax.googleapis.com 'sha256-mp+EOTi7PD8ouIeZyvVpn8Wh8g+tBzyRxDcSIUbYHO8=' https://cdnjs.cloudflare.com http://cdnjs.cloudflare.com http://netdna.bootstrapcdn.com http://yui.yahooapis.com; img-src 'self' data: ; style-src 'self' 'unsafe-inline'http://yui.yahooapis.com https://cdnjs.cloudflare.com http://netdna.bootstrapcdn.com" -jar jenkins.war &
This is the only change i made.
I see pure-min.css being blocked in Chrome browser Developer Tools in Network Tab. Because its curl ' https://yui.yahooapis.com/pure/0.3.0/pure-min.css' --compressed (HTTPS) and rest are all HTTP.
How should i START Jenkins to fix this error ?
On Fri, Jun 10, 2016 at 11:26 AM, Grzegorz Slowikowski < notifications@github.com> wrote:
I don't see any attached images. You can send them to me directly. Did you try turning content security policy completely off with -Dhudson.model.DirectoryBrowserSupport.CSP=?
The green/red bars are styled by inline css, so you at least need to add 'unsafe-inline' to style-src. Fonts - I don't know, I would like to see your screenshots first. Anyway, try with CSP turned off first.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/shanbin/scoverage-plugin/issues/15#issuecomment-225259251, or mute the thread https://github.com/notifications/unsubscribe/AAY0-ffY-OeFj2Elb8tVIUhvGZWXTW0Oks5qKaxAgaJpZM4IoB3V .
Deepak
My email is in my profile.
update on this? I tried adding the CSP property but jenkins startup gave me and error
* Restarting Jenkins Continuous Integration Server jenkins
-su: default-src: command not found
-su: img-src: command not found
-su: style-src: command not found
@punitag How did you define the CSP property and start Jenkins? It will be good if we can have the command line.
@shanbin
This is the line in /etc/default/jenkins
JAVA_ARGS="-Djava.awt.headless=true -Djavax.net.ssl.trustStore=/var/lib/jenkins/custom-cacerts -Djavax.net.ssl.trustStorePassword=changeit -Dhudson.model.DirectoryBrowserSupport.CSP="upgrade-insecure-requests; default-src 'self' http://ajax.googleapis.com 'sha256-mp+EOTi7PD8ouIeZyvVpn8Wh8g+tBzyRxDcSIUbYHO8=' https://cdnjs.cloudflare.com http://cdnjs.cloudflare.com http://netdna.bootstrapcdn.com http://yui.yahooapis.com; img-src 'self' data: ; style-src 'self' 'unsafe-inline' http://yui.yahooapis.com https://cdnjs.cloudflare.com http://netdna.bootstrapcdn.com"
I am facing same error and CSS files are not being pulled. As a result rendering is not styled.
On Mon, Aug 8, 2016 at 12:29 PM, Punit Agrawal notifications@github.com wrote:
@shanbin https://github.com/shanbin
This is the line in /etc/default/jenkins
JAVA_ARGS="-Djava.awt.headless=true -Djavax.net.ssl.trustStore=/var/lib/jenkins/custom-cacerts -Djavax.net.ssl.trustStorePassword=changeit -Dhudson.model. DirectoryBrowserSupport.CSP=upgrade-insecure-requests; default-src 'self' http://ajax.googleapis.com 'sha256-mp+EOTi7PD8ouIeZyvVpn8Wh8g+tBzyRxDcSIUbYHO8=' https://cdnjs.cloudflare.com http://cdnjs.cloudflare.com http://netdna.bootstrapcdn.com http://yui.yahooapis.com; img-src 'self' data: ; style-src 'self' 'unsafe-inline' http://yui.yahooapis.com https://cdnjs.cloudflare.com http://netdna.bootstrapcdn.com"
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/shanbin/scoverage-plugin/issues/15#issuecomment-238349312, or mute the thread https://github.com/notifications/unsubscribe-auth/AAY0-dh1qMZp21hiDKIaIGGTUyRfPXTiks5qd4OfgaJpZM4IoB3V .
Deepak
I started getting SSL Protocol Error in chrome when i click scoverage HTML report.
Any solutions ?
On Mon, Aug 8, 2016 at 3:03 PM, ÐΞ€ρ@Ҝ (๏̯͡๏) deepujain@gmail.com wrote:
I am facing same error and CSS files are not being pulled. As a result rendering is not styled.
On Mon, Aug 8, 2016 at 12:29 PM, Punit Agrawal notifications@github.com wrote:
@shanbin https://github.com/shanbin
This is the line in /etc/default/jenkins
JAVA_ARGS="-Djava.awt.headless=true -Djavax.net.ssl.trustStore=/var/lib/jenkins/custom-cacerts -Djavax.net.ssl.trustStorePassword=changeit -Dhudson.model.DirectoryBrowserSupport.CSP=upgrade-insecure-requests; default-src 'self' http://ajax.googleapis.com 'sha256-mp+EOTi7PD8ouIeZyvVpn8Wh8g+tBzyRxDcSIUbYHO8=' https://cdnjs.cloudflare.com http://cdnjs.cloudflare.com http://netdna.bootstrapcdn.com http://yui.yahooapis.com; img-src 'self' data: ; style-src 'self' 'unsafe-inline' http://yui.yahooapis.com https://cdnjs.cloudflare.com http://netdna.bootstrapcdn.com"
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/shanbin/scoverage-plugin/issues/15#issuecomment-238349312, or mute the thread https://github.com/notifications/unsubscribe-auth/AAY0-dh1qMZp21hiDKIaIGGTUyRfPXTiks5qd4OfgaJpZM4IoB3V .
Deepak
Deepak
@shanbin I have the same problem as @punitag . Even the "-Dhudson.model.DirectoryBrowserSupport.CSP=" setting to turn security off doesn't seem to have any effect on the scoverage reports loading blank with the error events
edit: turning off the whole CSP works though it involved upgrading to the latest version of jenkins and / or restarting jenkins several times
so the real fix would be to have the scoverage plugin write an html document that wouldn't have the security issues?
The following CSP policy has worked for me:
default-src 'none'; frame-src 'self'; script-src 'self' 'unsafe-inline' https://ajax.googleapis.com https://cdnjs.cloudflare.com https://netdna.bootstrapcdn.com; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://netdna.bootstrapcdn.com;
Any movement on this? Some of us are not permitted to tweak CSP. Need a version without the security issues. Thanks
Just adding to the list of folks who would like to see a fix for this. The Jenkins instance we use can not just open up CSP to a full CDN.
+1
+1 how about baking the dependencies in?
I'd also appreciate some activity on this
As a workaround I got this working by installing this Chrome extension: Content Security Policy Override
I set my configuration to the following:
[
["http://my\\.jenkins\\.url", [
[".*", ""]
]]
]
And now the CSP header is scrubbed from anything Jenkins sends.
This is obviously very insecure so it's advisable to configure a more restrictive CSP policy.
I'm seeing the same problem, any fix?