Remove inline styles and scripts for better Jenkins CSP compliance about reportgenerator HOT 9 CLOSED

I will have a look at this. But it may take some time

from reportgenerator.

Thanks! For what it's worth, I had to set a variety of CSP settings to allow Jenkins to display ReportGenerator content properly:

sandbox allow-scripts; default-src 'none'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'

The data: URL was to handle inline base64 images, the 'unsafe-inline' for styles was to handle the style attributes (style="width:92px", etc.), the 'unsafe-inline' for scripts was to handle the inline JavaScript, and the 'unsafe-eval' was to handle the use of Function() calls.

from reportgenerator.

I took a quick look. Jenkins is very restrictive.
Some of my inline styles could be easily replaced by CSS classes (I don't understand why this should be safer....). But for example the red/green bar which indicates coverage is rendered with inline styles. I don't want to render this with JavaScript, this would break clients with JavaScript disabled.
I'm not sure what to do here.

from reportgenerator.

Yeah, defining 100 different CSS classes for 1-100px widths does seem unappealing, although that does seem to be the only non-JS way to get around an inline style prohibition. Some more info on the dangers of inline styles is here: http://stackoverflow.com/a/31759553/466874.

from reportgenerator.

I started working on this issue. I think I can provide a new release in the next days.

from reportgenerator.

Thanks Daniel. I really appreciate it.

from reportgenerator.

Could you please test this release: https://www.nuget.org/packages/ReportGenerator/2.4.0-beta2
I removed all inline styles and scripts.

With the default Jenkins settings ("sandbox; default-src 'self';") you should see a correctly formatted static report.

If you enable scripts with the following command, all dynamic features should work:

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts; default-src 'self';")

Let me know if something is not working yet.

from reportgenerator.

I just tested it after resetting the Jenkins CSP to its default, and the report renders correctly as a static document (with green/red bars of the proper widths). I then adjusted the CSP to the setting you'd suggested, and it rendered properly with all the usual dynamic controls (expand/collapse and the Grouping slider). It works perfectly. Thank you!

from reportgenerator.

Great. Thanks for your input and help.

from reportgenerator.