Timeline report not rendering in Jenkins HTML report without loosening CSP even more
See original GitHub issueScenario
- Run Karate tests in Jenkins.
- In the Jenkins build, save the Karate report in Jenkins using the HTML publisher plugin. ie have something like this in the Jenkinsfile:
publishHTML (target : [allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'target/karate-reports',
reportFiles: '*.html',
reportName: 'Karate Report',
reportTitles: 'Karate Report'])
- Look at the timeline report in Jenkins
Expected
Timeline report is displayed correctly
Actual
A mostly blank page is displayed:
Further info/discussion
What’s happening is that Jenkins sends a content security policy header. We’ve actually previously loosened this to show the HTML reports, by setting the CSP header to default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' 'unsafe-inline' data:;
.
However, I’ve noticed that this isn’t working for karate-timeline.html , as that references vis.min.js & vis.min.css from a CDN: https://github.com/karatelabs/karate/blob/5050e3010a47aa9c4db308440c777f2c9aa5ad63/karate-core/src/main/java/com/intuit/karate/report/karate-timeline.html#L11-L12
Contrast this to karate-feature.html , which does this https://github.com/karatelabs/karate/blob/5050e3010a47aa9c4db308440c777f2c9aa5ad63/karate-core/src/main/java/com/intuit/karate/report/karate-feature.html#L9-L11
We could loosen our CSP even more to allow stuff from https://cdnjs.cloudflare.com, but I think it would make more sense to not fetch the vis dependency from a CDN in the first place, and to add it to this repo like is done for other deps like jquery & bootstrap. Was there a reason why this wasn’t done at the time, or couldn’t be done?
Thanks in advance, Ismail
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (6 by maintainers)
Top GitHub Comments
@ptrthomas Thanks. I’ve given it a try and the timeline report is now rending correctly.
@ismail-s thank you for the PR. I’ll keep this open and close it when we release 1.2.0 final (process we follow)