问题
I'm trying to report my .html file with HTML publisher plugin in Jenkins
however,since HTML publisher is updated to version 1.10, can't publish HTML.
Error message I'm getting:
Blocked script execution in '{mydomain}' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
Uncaught SecurityError: Failed to read the 'localStorage' property from 'Window': The document is sandboxed and lacks the 'allow-same-origin' flag.
I found this doc: https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy
It tells about CSP.
I run Jenkins with arg :
/usr/bin/java -Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=sandbox allow-scripts; style-src 'unsafe-inline' *;script-src 'unsafe-inline' *; -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080 --ajp13Port=-1
but still got same error above.
what i tried args :
1. -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox; default-src 'self';"
2. -Dhudson.model.DirectoryBrowserSupport.CSP=
3. -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox; default-src *;"
4. -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-scripts; default-src *;"
.html is located in :
{mydomain}/job/{job_name}/Doc/index.html
回答1:
Can you have a try with a blank CSP option?
/usr/bin/java -Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP= -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080 --ajp13Port=-1
On my Jenkins instance, it solved my reporting issues.
I know it's not a safe option, but I didn't find another solution :(
回答2:
I faced similar issue I found and applied following solution:
Steps:
- Go to the Jenkins Admin page (login as admin).
- Go to Manage Jenkins -> Script Console
- Then in the script console copy paste following it made it work
Snippet: System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts; default-src *; style-src * http://* 'unsafe-inline' 'unsafe-eval'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'");
This link provides more details on each of the parameters that we have set in the above code line.
Note for Persistency in jenkins configuration:
@RayKim mentioned this is not a sustainable change. If you want to keep this change permanently then in that case you should set this property values up in the JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Dhudson.remoting.Launcher.pingIntervalSec=0"
After setting this variable you have to restart your Jenkins to load the new configuration.
来源:https://stackoverflow.com/questions/36446279/jenkins-html-publisher-plugin-allow-script-permission-issue