Closed timja closed 8 years ago
timja
commented
8 years ago Additional information:
The following error is shown in the browser console of firefox:
Content Security Policy: The page's settings blocked the loading of a resource: ("style-src https://xxx.xxx.xxx:8080")
The bug also happens, if the svg file is opened directly from the link created by the copy artifact plugin, so probably not caused by the image gallery plugin
timja
commented
8 years ago timja
commented
8 years ago Thanks for taking care of that danielbeck. Closing the issue as this seems to have been fixed with CSP in newer versions of Jenkins.
timja
commented
8 years ago kinow To clarify, the Dec 9 security fix introduced CSP for DirectoryBrowserSupport, thereby breaking uses like this, and the solution is to customize the CSP header to be less restrictive.
timja
commented
8 years ago The default value of hudson.model.DirectoryBrowserSupport.CSP is
sandbox; default-src 'none'; img-src 'self'; style-src 'self';
To solve the problem with the svg images, I had to change it to
sandbox; default-src 'none'; img-src 'self'; style-src 'self' 'unsafe-inline';
see https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy
Steps to reproduce:
Changing the firefox preference security.csp.enable from true to false fixes the problem.
This seems to be related to this: https://greasyfork.org/de/forum/discussion/353/doesnt-work-because-of-content-security-policy
https://developer.mozilla.org/en-US/docs/Security/MixedContent/How_to_fix_website_with_mixed_content
Originally reported by jherb, imported from: svg image provided by copy artefact plugin does not show correctly in firefox if jenkins runs via https