HTML report should inline external resources

[realdadfish]

Currently, the generated HTML report links material.css and material.js externally. This is an issue in CI systems like Jenkins, where people like me eventually want to publish the report to (through the HTML Publisher Plugin for example), because there the report is loaded inside an <iframe> and CSP rules apply. To then let the report render properly, one would have to white-list domains like cdn.jsdelivr.net, which is not only a burden to do (and not even possible in "hosted" environments), but also a big security hole, because when this domain is whitelisted, basically any NPM script is able to be loaded.

So I'd heavily vote for just inlining the needed CSS / JS during the build process and not link external resources in the report, at all.

[takahirom]

I'm considering the possibility of inlining the external resources within our HTML report. Are there any specific methods you'd recommend for doing so? I'm currently deliberating whether it's necessary to include the inlined version directly in our repository. Your insights on this would be greatly appreciated.

[bencehornak-gls]

I'm not super familiar with Jenkins plugin development, but I have seen some plugin repos with Java and JavaScript dependencies both. You can check out the pipeline-graph-view-plugin for example, where webpack is used to generate JS bundles, which are placed into the src directory (see the webpack.config.js). The generated files are excluded from the repo (see the .gitignore), and the CONTRIBUTING.md describes, how those bundles can be generated during development.

Hope this helps and I got your question right

[realdadfish]

I'm considering the possibility of inlining the external resources within our HTML report. Are there any specific methods you'd recommend for doing so? I'm currently deliberating whether it's necessary to include the inlined version directly in our repository. Your insights on this would be greatly appreciated.

Well, coming from a DevOps background, build stability and reproducability is key. If you have to rely on external resources to be available in your build, your build stability and reproducability is at risk, unless you checksum and/or cache things, so I'd always vote for checking in a small number of resources in my own repo for simplicity reasons.