12

I'm trying to report my .html file with HTML publisher plugin in Jenkins however,since HTML publisher is updated to version 1.10, can't publish HTML.

Error message I'm getting:

Blocked script execution in '{mydomain}' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

Uncaught SecurityError: Failed to read the 'localStorage' property from 'Window': The document is sandboxed and lacks the 'allow-same-origin' flag.

I found this doc: https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

It tells about CSP.

I run Jenkins with arg : 

/usr/bin/java -Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=sandbox allow-scripts; style-src 'unsafe-inline' *;script-src 'unsafe-inline' *; -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080 --ajp13Port=-1

but still got same error above.

what i tried args : 

 1. -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox; default-src 'self';"
 2. -Dhudson.model.DirectoryBrowserSupport.CSP=
 3. -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox; default-src *;"
 4. -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-scripts; default-src *;"

.html is located in : 

{mydomain}/job/{job_name}/Doc/index.html
Anand Bhat
  • 5,591
  • 26
  • 30
BJ Kim
  • 123
  • 1
  • 1
  • 9

3 Answers3

19

I faced similar issue I found and applied following solution:

Steps:

  1. Go to the Jenkins Admin page (login as admin).
  2. Go to Manage Jenkins -> Script Console
  3. Then in the script console copy paste following it made it work

Snippet: System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts; default-src *; style-src * http://* 'unsafe-inline' 'unsafe-eval'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'");

This link provides more details on each of the parameters that we have set in the above code line.

Note for Persistency in jenkins configuration: @RayKim mentioned this is not a sustainable change. If you want to keep this change permanently then in that case you should set this property values up in the JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Dhudson.remoting.Launcher.pingIntervalSec=0"

After setting this variable you have to restart your Jenkins to load the new configuration.

avivamg
  • 12,197
  • 3
  • 67
  • 61
Bilbo Baggins
  • 2,899
  • 10
  • 52
  • 77
  • 1
    important to note that this does NOT survive upon a restart. To make it permanent, update the "JENKINS_JAVA_OPTIONS" inside of (/etc/sysconfig/jenkins for CentOS) while other distros it may be inside (/etc/default/jenkins) – Ray Kim Jun 06 '18 at 20:28
9

Can you have a try with a blank CSP option?

/usr/bin/java -Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP= -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080 --ajp13Port=-1

On my Jenkins instance, it solved my reporting issues.

I know it's not a safe option, but I didn't find another solution :(

Bruno Lavit
  • 10,184
  • 2
  • 32
  • 38
  • 2
    i solve this. your answer is right but should remove browser cache additionally, thank you – BJ Kim Apr 07 '16 at 00:40
2

For me above didn't work;

I tried this

Manage Jenkins -> Script Console Copy-paste this

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "")

For permanent solution: Add the following to JAVA_ARGS under /etc/default/jenkins:

-Dhudson.model.DirectoryBrowserSupport.CSP=""
Yub Raj
  • 21
  • 1