2

I have a jenkins pipeline that creates a HTML and a CSS file. When using Firefox everything works fine. When using latest Chrome (95.0.4638.69) the css file won't be loaded.

The problem seems to be that Chrome doesn't send the Session-Cookie when loading the HTML file and requesting the CSS file (checked with the developer tools, I see a 403 Forbidden in the network-tab when Chrome requests the CSS, the cookie is correctly sent when requesting the HTML file). When I access the CSS URL directly in chrome the cookies is sent and I get a response.

The only special thing on the HTML page: Jenkins sets the following headers:

Content-Security-Policy: sandbox; default-src 'none'; img-src 'self'; style-src 'self';
X-Content-Security-Policy: sandbox; default-src 'none'; img-src 'self'; style-src 'self';
X-Content-Type-Options: nosniff
X-WebKit-CSP: sandbox; default-src 'none'; img-src 'self'; style-src 'self';

But as far as I understand style-src 'self' means that CSS from the same server are allowed. In my example the HTML is at http://localhost:8080/job/aaa/4/artifact/result.html and the CSS at http://localhost:8080/job/aaa/4/artifact/styles.css.

I created a simple Jenkinsfile for testing:

pipeline {

    agent any

    stages {
        
        stage('Create HTML') {
            steps {
                createHtml()
            }
        }

    }
    
}

def createHtml() {
    createHtmlPage();
    createStylesheetFile();
    
    archive (includes: '*.html,*.css')
    
    publishHTML([allowMissing: false,
     alwaysLinkToLastBuild: true,
     keepAll: true,
     reportDir: '.',
     reportFiles: 'result.html',
     reportName: 'Test'
    ])
    
}

private void createHtmlPage() {
    String result = """<!DOCTYPE html>
        <html>
        <head>
            <title>Test</title>
            <link rel="stylesheet" href="styles.css">
        </head>
        <body>
        <h1>Test</h1>
        </body>
        </html>
    """ 
    
    writeFile file: 'result.html', text: result
}

private String createStylesheetFile() {
    String styles = """
        body {
            font-family: Arial, Helvetica, sans-serif;
            color: blue;
            background: green;
        }
    """
        
    writeFile file: 'styles.css', text: styles
}

I also tried disabling the CSP settings in Jenkins, but got the same result.

With further searching and clicking around I found out that Chrome is not sending the cookie because Jenkins creates it without 'SameSite' attribute. So chrome sets it to 'Lax' which means 'Cookies are not sent on normal cross-site subrequests'.

So I try to find out, how to set SameSite in Jenkins.

TomStroemer
  • 1,390
  • 8
  • 28

1 Answers1

1

After some more search around, I found some resources and answers:

  1. Jenkins Session Cookie is created without 'SameSite' Attribute. So it is set to 'Lax'. This does not allow Cookies to be sent on subrequests. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
  2. After changing the CSP settings in Jenkins via the Admin-GUI you need to logout/login. The process of changing the setting is described here: Jenkins - HTML Publisher Plugin - No CSS is displayed when report is viewed in Jenkins Server
  3. I found a Jenkins Issue for the problem with some workarounds: https://issues.jenkins.io/browse/JENKINS-61925?attachmentViewMode=list - I changed the Content Security Policy to "sandbox allow-same-origin; default-src 'none'; img-src 'self'; style-src 'self';" and now it works
  4. I hope that Jenkins changes the cookie Settings for the Session-Cookie. Until then I don't know any other solution.
TomStroemer
  • 1,390
  • 8
  • 28