0

I am generating code coverage for my rust project and am trying to publish the results to Jenkins using publishHTML. All good except that when I try to view the HTML the CSS does not load because of this error:

Refused to load the stylesheet 'https://cdn.jsdelivr.net/npm/bulma@0.9.1/css/bulma.min.css' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

How do I fix this? I doubt I'm the first person to run into this.

I did have the thought to rewrite the generated HTML to use a local stylesheet, but I ran into weird Access permissions in the Jenkins workspace and I could not get that to work.

This is the command I am using the generate the reports:

grcov . --binary-path workspaces -s . -t html --branch --ignore-not-existing -o ./code_coverage/

I'd appreciate any suggestions on how to fix this or how to better deploy my results.

Shepmaster
  • 388,571
  • 95
  • 1,107
  • 1,366
DungeonTiger
  • 627
  • 1
  • 9
  • 21
  • Stylesheets and probably most other resources are only allowed to load from the same domain/port that your webserver serves the pages from. Don't use a CDN then; instead download the external resources and deploy them on your webserver as static assets. – connexo Dec 07 '21 at 19:59

1 Answers1

0

Default CSP header in Jenkins is:

sandbox; default-src 'none'; img-src 'self'; style-src 'self';

so you have to add https://cdn.jsdelivr.net/npm/ (or https://cdn.jsdelivr.net) into style-src directive.

You can use post initialization script (init hook) to run some additional things right after Jenkins starts up. Create a file, such as $JENKINS_HOME/init.groovy.d/adjust-content-security-policy.groovy (or any .groovy file in $JENKINS_HOME/init.groovy.d/ directory) with the single line of:

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox; default-src 'self'; img-src 'self'; style-src 'self' https://cdn.jsdelivr.net/npm/")

and it will be executed after Jenkins has started.

Pls note a Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback in the violation message. This means that default Jenkins CSP was changed and style-src directive is absent. So check files in the $JENKINS_HOME/init.groovy.d/ directory maybe you already have one with CSP settings.
Safiest way is to see in the browser console what CSP header you do have, to add style-src 'self' https://cdn.jsdelivr.net/npm/" into it and then set resulting CSP into System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "..."). Perhaps the Jenkins documentation just is behind the times.

There is a way of use jenkins.xml file if you run Jenkins on Windows. Add the property:

-Dhudson.model.DirectoryBrowserSupport.CSP="sandbox; default-src 'self'; img-src 'self'; style-src 'self' https://cdn.jsdelivr.net/npm/"

in <service><arguments> before the -jar, than restart the service. See details here and here.

granty
  • 7,234
  • 1
  • 14
  • 21