Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32026

HTML publisher 1.9 broken since Jenkins 1.625.3

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: htmlpublisher-plugin
    • Labels:
      None
    • Environment:
      Jenkins LTS version 1.625.3
      HTML publisher plugin 1.9
    • Similar Issues:

      Description

      After the upgrade from the Jenkins LTS version 1.625.2 to 1.625.3 the HTML report is not displayed. Instead a link "ZIP" and the text "index" is displayed in the upper left corner.
      I am not sure if this is really related to the HTML publisher plugin because its version has not been changed.

        Attachments

          Issue Links

            Activity

            Hide
            dispader Jake Gage added a comment - - edited

            I'm seeing the same issue:

            and I believe it may be related to iframe permissions. I only see the error in a Jenkins instance answering HTTPS, with multiple console messages:

            Blocked script execution in 'https://my.jenkins.redacted/jenkins/view/Project/job/job_name/Test_Summaries/' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

            Show
            dispader Jake Gage added a comment - - edited I'm seeing the same issue: and I believe it may be related to iframe permissions. I only see the error in a Jenkins instance answering HTTPS, with multiple console messages: Blocked script execution in 'https://my.jenkins.redacted/jenkins/view/Project/job/job_name/Test_Summaries/' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
            Hide
            dispader Jake Gage added a comment - - edited

            Another update— HTML publisher 1.9 itself under the latest Jenkins release works fine for me in HTTP-only environments.

            For clarity, what the original report is describing (seen in the first screen shot attachment), I believe is the browser trying to render the HTML publisher output in the second attachment:

            (Note the "Zip" link in the upper right, and the formatted names of the HTML documents in the tabs, following the "Return to Jenkins Job" link...)

            Show
            dispader Jake Gage added a comment - - edited Another update— HTML publisher 1.9 itself under the latest Jenkins release works fine for me in HTTP-only environments. For clarity, what the original report is describing (seen in the first screen shot attachment), I believe is the browser trying to render the HTML publisher output in the second attachment: (Note the "Zip" link in the upper right, and the formatted names of the HTML documents in the tabs, following the "Return to Jenkins Job" link...)
            Hide
            danielbeck Daniel Beck added a comment -

            Nice analysis, but none of it was necessary because we know – see the advisory or more specifically the wiki page dedicated to Content Security Policy.

            FWIW I've proposed a PR that resolves the issue and generally meets approval by the author, PR 22, but hasn't yet been released. However, there's a PR build you could download and install. Note however the other limitations on the CSP wiki page.

            Show
            danielbeck Daniel Beck added a comment - Nice analysis, but none of it was necessary because we know – see the advisory or more specifically the wiki page dedicated to Content Security Policy . FWIW I've proposed a PR that resolves the issue and generally meets approval by the author, PR 22 , but hasn't yet been released. However, there's a PR build you could download and install. Note however the other limitations on the CSP wiki page.
            Hide
            dispader Jake Gage added a comment -

            Wow— thank you, Daniel Beck !

            Show
            dispader Jake Gage added a comment - Wow— thank you, Daniel Beck !
            Hide
            mcrooney mcrooney added a comment -

            Thanks, released as 1.10!

            Show
            mcrooney mcrooney added a comment - Thanks, released as 1.10!
            Hide
            danielbeck Daniel Beck added a comment -

            So, to clarify, there are two parts to this:

            • The HTML Publisher surrounds the published pages with a frame linking to the configured index pages. This frame was broken in 1.625.3/1.641, and the plugin release 1.10 fixes this.
            • The published HTML pages may not display correctly when using things like XHR, JavaScript, inline CSS, etc. This is by design and was one of the security fixes in 1.625.3/1.641.

            To work around the second issue, you basically have the following options with this:

            • Live with the brokenness, if it's not too severe. (E.g. Javadoc plugin has a similar issue with Javascript not running even with PR 4 applied), but it's hardly noticeable in my testing.
            • Publish the HTML pages elsewhere and just link there from Jenkins.
            • Make the HTML pages work without this kind of dynamic content or adapt to work within the rules (e.g. external CSS files rather than inline).
            • Relax the rules controlling what static HTML files served by Jenkins are allowed to do: See documentation.

            You may be asking "Daniel, this security issue seems a bit far-fetched – most installations allow everyone to do everything, why so restrictive?" Good point. Unfortunately, while many, possibly most, Jenkins installations may not need this protection because it's not a threat to them, given how many users don't bother to apply basic common sense to their instance security, we opted to make Jenkins secure out of the box in this regard, rather than make it opt-in.

            Show
            danielbeck Daniel Beck added a comment - So, to clarify, there are two parts to this: The HTML Publisher surrounds the published pages with a frame linking to the configured index pages. This frame was broken in 1.625.3/1.641, and the plugin release 1.10 fixes this. The published HTML pages may not display correctly when using things like XHR, JavaScript, inline CSS, etc. This is by design and was one of the security fixes in 1.625.3/1.641. To work around the second issue, you basically have the following options with this: Live with the brokenness, if it's not too severe. (E.g. Javadoc plugin has a similar issue with Javascript not running even with PR 4 applied), but it's hardly noticeable in my testing. Publish the HTML pages elsewhere and just link there from Jenkins. Make the HTML pages work without this kind of dynamic content or adapt to work within the rules (e.g. external CSS files rather than inline). Relax the rules controlling what static HTML files served by Jenkins are allowed to do: See documentation . You may be asking "Daniel, this security issue seems a bit far-fetched – most installations allow everyone to do everything, why so restrictive?" Good point. Unfortunately, while many, possibly most, Jenkins installations may not need this protection because it's not a threat to them, given how many users don't bother to apply basic common sense to their instance security , we opted to make Jenkins secure out of the box in this regard, rather than make it opt-in.
            Hide
            wir_wolf Andru Cherny added a comment -

            My Jenkins ver. 1.651.2 and HTML Publisher plugin - 1.11
            Bug exsist.

            Show
            wir_wolf Andru Cherny added a comment - My Jenkins ver. 1.651.2 and HTML Publisher plugin - 1.11 Bug exsist.
            Hide
            danielbeck Daniel Beck added a comment -

            This issue has been resolved. HTML Publisher itself failed to show the iframe at all, which this issue is about.

            What's left is covered by https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

            Show
            danielbeck Daniel Beck added a comment - This issue has been resolved. HTML Publisher itself failed to show the iframe at all , which this issue is about. What's left is covered by https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

              People

              • Assignee:
                danielbeck Daniel Beck
                Reporter:
                berndpohl Bernd Pohl
              • Votes:
                6 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: