Istanbul: Enhancement: Move remaining inline styles in HTML report to a separate CSS file

Created on 10 Apr 2016  路  3Comments  路  Source: gotwarlost/istanbul

To allow the generated HTML reports to better comply with W3C Content Security Policy (CSP) specifications, it would be helpful to move the few inline styles within the generated HTML output to instead reference a separate CSS file.

Most helpful comment

Problem isn't just with the inline-style, but also with the 'sandbox' CSP, since HTML publisher loads the report in an iframe:

Blocked script execution in 'https://<jenkins/Coverage_Report/index.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.inject 

All 3 comments

+1 this seem to break styles after publishing HTML coverage reports on Jenkins due to default Content-Secuity-Policy https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

In browser console I see errors like:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-lHXTXVoMUY2/p3pxQI6CRA0n02Rrs2+ZoQFL/rrqCXA='), or a nonce ('nonce-...') is required to enable inline execution.

Header is Content-Security-Policy:sandbox; default-src 'none'; img-src 'self'; style-src 'self';

Also html publisher plugin folks already stated that they won't fix it on their side: https://issues.jenkins-ci.org/browse/JENKINS-32590

Problem isn't just with the inline-style, but also with the 'sandbox' CSP, since HTML publisher loads the report in an iframe:

Blocked script execution in 'https://<jenkins/Coverage_Report/index.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.inject 

+1

Was this page helpful?
0 / 5 - 0 ratings