Content Security Policy Jenkins

0
votes

Question - so I am trying to use the protractor-beautiful-reporter on my jenkins install. This is an agular app. However when the page is rendered showing that the angular bit isn't working. Looking at the console for the page shows the following:

Content Security Policy: The page’s settings blocked the loading of a resource at https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js (“script-src http://dskvm4981-iis:8080 'unsafe-inline' 'unsafe-eval'”).

I already use a couple of setProperty to override CSP for the machine. These are: 

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';")

System.setProperty("jenkins.model.DirectoryBrowserSupport.CSP", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';")

Anyone know how change the above to work from either a local file or a remote file?

1
jenkinsprotractor
The “script-src http://dskvm4981-iis:8080 'unsafe-inline' 'unsafe-eval'” part of the error message indicates you have a CSP policy specified somewhere other than with the System.setProperty properties — maybe you have it in a meta element in the document itself? — and that policy is only allowing scripts from http://dskvm4981-iis:8080. Wherever you have the CSP policy specified, you need to change it to allow the script from https://ajax.googleapis.com/; e.g., script-src http://dskvm4981-iis:8080 https://ajax.googleapis.com/ 'unsafe-inline' 'unsafe-eval'” - sideshowbarker
Is there a way of seeing what CSP policies are set? - Joseph
The way to see what CSP policies are set is (1) to look at the response headers in your browser devtools and check the Content-Security-Policy response header there, and (2) to check the source of the document in devtools and look for a meta element with http-equiv=Content-Security-Policy. Those two places are the only ways a CSP policy can be set. - sideshowbarker

1 Answers

0
votes

One workaround would be to avoid having the report download Angular source at all by either requesting this kind of change on the protractor-beautiful-reporter issue tracker or forking the package copying the angular source and changing the source of the script from:

<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js"></script>

to something like:

<script src="angular.min.js"></script>

having the minified angular js file downloaded to be near the index.html itself.

This is no more than a workaround, of course.