I update Jenkins security settings to support allure report
System.setProperty(“hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';")
it works fine ,now I need to add
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts;")
for HTML report
how can I combine both settings into 1 ?
Thanks , Mor
looks like this one
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'none'; img-src 'self'; style-src 'self'; child-src 'self'; frame-src 'self';")
do the trick
Related
I migrated a jhipster application generated with jhipster version 6.3.0.
Everything is right except swagger. I don't want for now to migrate to springdoc. I just kept springfox.
I get this exception when go to /admin/docs:
Refused to frame 'http://swagger.io/' because it violates the following Content Security Policy directive: "frame-src 'self' data:".
Should I change the CSP or something else ?
Right now I have this line in SecurityConfiguration
.contentSecurityPolicy("default-src 'self'; frame-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://storage.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' www.googletagmanager.com https://www.google-analytics.com data:; font-src 'self' https://fonts.gstatic.com data:")
Yes. It should work when adding http://swagger.io/ to frame-src in the CSP configuration. E.g.
...; frame-src 'self' http://swagger.io/ data:; ...
I solved the problem of CSP by using:
.and().frameOptions().sameOrigin().
But finally I had no choices. I was obliged to migrate to springdoc instead.
Getting the following when using rails built in email previews :
Refused to load the stylesheet
'http://app.lvh.me:3000/packs/...' because it violates
the following Content Security
Policy directive: "style-src 'unsafe-inline'".
Ended up adding the following in headers :
meta http-equiv="Content-Security-Policy"
content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval';"
But still getting the issue
Does anyone encountered and solved this issue ?
Obviously, this answer could be enhanced by explaining why such happened,
but so far it seems that the workaround is to add the following gem :
gem 'premailer-rails'
As explained here.
Question - so I am trying to use the protractor-beautiful-reporter on my jenkins install. This is an agular app. However when the page is rendered showing that the angular bit isn't working. Looking at the console for the page shows the following:
Content Security Policy: The page’s settings blocked the loading of a
resource at
https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js
(“script-src http://dskvm4981-iis:8080 'unsafe-inline'
'unsafe-eval'”).
I already use a couple of setProperty to override CSP for the machine. These are:
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';")
System.setProperty("jenkins.model.DirectoryBrowserSupport.CSP", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';")
Anyone know how change the above to work from either a local file or a remote file?
One workaround would be to avoid having the report download Angular source at all by either requesting this kind of change on the protractor-beautiful-reporter issue tracker or forking the package copying the angular source and changing the source of the script from:
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js"></script>
to something like:
<script src="angular.min.js"></script>
having the minified angular js file downloaded to be near the index.html itself.
This is no more than a workaround, of course.
I am working with a hybrid-cordova application in iOS, in the latest version of cordova is adding this line to the headtag
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
and when I am building in the simulator or device is returning this error:
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
This error appears when is the moment of the interaction with the server, blocking the ajax requests.
What am I doing wrong? please help!!!
The error message is telling you that your current content security policy prohibits requests to the domain you're making the request to, as you haven't specified that it is allowed to do so. Include this in the CSP tag:-
script-src https://yourajaxdomainhere
So it becomes
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; script-src https://yourajaxdomainhere; media-src *">
Also ensure the domain you're sending requests to is added as an allowed origin in your config.xml file.
<access origin="https://yourajaxdomainhere" />
More information on content security policy is here
Need your help!
I've been working on integrating my automation test to Jenkins. I use Serenity BDD and JBehave. My Serenity report displayed OK when I run my test manually. But, when I integrate the test to Jenkins and try to display the report through Publish HTML Report Plugin, it can't display the pie chart and missing other elements as well.
Any idea how to solve this?
Actually you don't need to downgrade Jenkins. This issue happens because of new content security policy headers that is supported by modern browsers. Correct resolution could be the following (code examples and paths for CentOS 7):
Configure content policy headers via Jenkins system property:
sudo vim /etc/sysconfig/jenkins
set java options as following:
JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-forms allow-scripts; default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';\""
# save and exit
sudo /etc/init.d/jenkins restart
Install Jenkins CORS Filter Plugin: https://wiki.jenkins-ci.org/display/JENKINS/Cors+Filter+Plugin
Setup CORS (Manage Jenkins -> Configure System -> CORS Filter)
Enjoy results :-)
More details about content security policy: http://content-security-policy.com
I got it working as below on Ubuntu 16.04
Goto /etc/default/jenkins and set below value
JAVA_ARGS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-forms allow-scripts; default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src data:;\""
Restart jenkins with command
http://localhost:8080/safeRestart
Goto Jenkins > Manage Jenkins > Script Console run below
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "")
Close existing Jenkins browser window and open new one in incognito mode.
References
Jenkins Content Security Policy
Jenkins - HTML Publisher Plugin - No CSS is displayed when report is viewed in Jenkins Server
I have been also facing the same problem. I used some code in the script console to show Extent Report via HTML plugin, it worked but the pie chart was not visible, then after exploring a lot, finally I also found the following code by which I am also able to view the pie chart in my extent reports. Go into Script Console and run the following code;
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';")
Since it is a Java property at the end, it could be setup either inside of the Jenkins application or at the Jenkins starting. In my case using Ubuntu, to add it needs to edit /usr/lib/systemd/system/jenkins.service and add the following line:
# Arguments for display Thucydes Reports correctly
Environment="JAVA_OPTS=-Dhudson.model.DirectoryBrowserSupport.CSP=\"default-src \"*\" 'unsafe-inline' 'unsafe-eval'; script-src \"*\" 'unsafe-inline' 'unsafe-eval'; connect-src \"*\" 'unsafe-inline'; img-src \"*\" data: blob: 'unsafe-inline'; frame-src \"*\"; style-src \"*\" 'unsafe-inline';\""
Save the file and execute the following commands to finish the process:
sudo systemctl daemon-reload
sudo service jenkins restart
Now every time Jenkins is restarted the property is set !
Solved. Need to downgrade Jenkins.