Jenkins HTML Publisher Plugin : allow script permission issue

Question

I'm trying to report my .html file with HTML publisher plugin in Jenkins however,since HTML publisher is updated to version 1.10, can't publish HTML.

Error message I'm getting:

Blocked script execution in '{mydomain}' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

Uncaught SecurityError: Failed to read the 'localStorage' property from 'Window': The document is sandboxed and lacks the 'allow-same-origin' flag.

I found this doc: https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

It tells about CSP.

I run Jenkins with arg :

/usr/bin/java -Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=sandbox allow-scripts; style-src 'unsafe-inline' *;script-src 'unsafe-inline' *; -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080 --ajp13Port=-1 

but still got same error above.

what i tried args :

 1. -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox; default-src 'self';"
 2. -Dhudson.model.DirectoryBrowserSupport.CSP=
 3. -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox; default-src *;"
 4. -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-scripts; default-src *;"    

.html is located in :

{mydomain}/job/{job_name}/Doc/index.html

Answer 1

For me above didn't work;

I tried this

Manage Jenkins -> Script Console Copy-paste this

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "")

For permanent solution: Add the following to JAVA_ARGS under /etc/default/jenkins:

-Dhudson.model.DirectoryBrowserSupport.CSP=""

Answer 2

I faced similar issue I found and applied following solution:

Steps:

1. Go to the Jenkins Admin page (login as admin).
2. Go to Manage Jenkins -> Script Console
3. Then in the script console copy paste following it made it work

Snippet: System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts; default-src *; style-src * http://* 'unsafe-inline' 'unsafe-eval'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'");

This link provides more details on each of the parameters that we have set in the above code line.

Note for Persistency in jenkins configuration: @RayKim mentioned this is not a sustainable change. If you want to keep this change permanently then in that case you should set this property values up in the JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Dhudson.remoting.Launcher.pingIntervalSec=0"

After setting this variable you have to restart your Jenkins to load the new configuration.