Page MenuHomePhabricator

Browser test Jenkins videos do not always play in-browser
Closed, DeclinedPublic

Description

Problem

Clicking video links on https://integration.wikimedia.org/ci/job/mwext-mw-selenium-jessie/725/

e.g.
https://integration.wikimedia.org/ci/job/mwext-mw-selenium-jessie/725/artifact/log/Search%3A%20Search%20with%20search%20in%20pages%20button.mp4

do not work :(

Reason

Jenkins Content Security Policy defaults to sandbox; default-src 'none'; img-src 'self'; style-src 'self';:

Specially default-src 'none' probihits loading scripts, URLs for AJAX/XHR/WebSockets/EventSources, fonts, plugin objects, media, and frames from anywhere.
Images and styles are allowed via img-src 'self' and style-src 'self'

Might want to set media-src: self.

Work-around

Download the video (right-click, save-as) and play it locally (it's not actually corrupt, even if your browser says it is).

Event Timeline

zeljkofilipin moved this task from Next to In Progress on the Browser-Tests-Infrastructure board.
zeljkofilipin added subscribers: hashar, dduvall.

@hashar did something change recently in Jenkins slaves that could cause the failure?

Looks like the video files are not corrupt.

Steps to reproduce:

Environment:

  • Mac OS 10.11.6
  • VLC 2.2.4

Steps to reproduce the problem:

firefox.png (819×1 px, 397 KB)

Environment:

  • Mac OS 10.11.6
  • Firefox 50 and 52
  • Chrome 55
  • Safari 10
zeljkofilipin lowered the priority of this task from Medium to Low.
zeljkofilipin moved this task from Deep work 🌊 to Watching 📺 on the User-zeljkofilipin board.
zeljkofilipin moved this task from In Progress to CI on the Browser-Tests-Infrastructure board.
zeljkofilipin subscribed.

Joaquin was able to download and view with vlc player. I used to be able to view these in browser. Did we change how we encoder build these videos ?

The video is not corrupt for sure. On Chromium it downloads the video directly. On Safari it tries to plays it and fail.

$ curl --head 'https://integration.wikimedia.org/ci/job/mwext-mw-selenium-jessie/725/artifact/log/Search%3A%20Search%20with%20search%20in%20pages%20button.mp4'
HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 16:48:55 GMT
Content-Type: video/mp4
Content-Length: 243571
Content-Security-Policy: sandbox; default-src 'none'; img-src 'self'; style-src 'self';
X-WebKit-CSP: sandbox; default-src 'none'; img-src 'self'; style-src 'self';
X-Content-Security-Policy: sandbox; default-src 'none'; img-src 'self'; style-src 'self';
Last-Modified: Fri, 20 Jan 2017 00:41:09 GMT
Expires: Fri, 20 Jan 2017 00:41:09 GMT
X-Content-Type-Options: nosniff
X-Varnish: 80441678, 37697242, 94794165
Via: 1.1 varnish-v4, 1.1 varnish-v4, 1.1 varnish-v4
Age: 0
X-Cache: cp1058 pass, cp3008 pass, cp3007 pass
X-Cache-Status: pass

So Content-Type: video/mp4 is all fine.

I believe the behavior is due to the X-Content-Security-Policy that is emitted by Jenkins. It instructs the browser to limit what it is going to do with material. Most probably that prevents the browser from starting the video.

https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy
https://content-security-policy.com/

greg renamed this task from Browser test Jenkins videos are corrupt to Browser test Jenkins videos do not always play in-browser.Jan 23 2017, 9:40 PM
greg updated the task description. (Show Details)
zeljkofilipin changed the task status from Open to Stalled.Jan 24 2017, 9:18 AM

Something might have been corrupted in Jenkins. The video/artifacts are deleted after 3 days hence https://integration.wikimedia.org/ci/job/mwext-mw-selenium-jessie/725/ no more shows them.

On https://integration.wikimedia.org/ci/job/mwext-mw-selenium-jessie/814/ there is a Search: Search with search in pages button.mp4. My test report:

OSBrowserStatus
LinuxFirefox 50.1.0Reads fine
LinuxChromium 55.0.2883.75Stall

In the Chromium console I get:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'".
Either the 'unsafe-inline' keyword, a hash ('sha256-H/s/dWGkGDaCkKqmo0VNeHrTgvJjinI5uvu7UmY6EB8='), or a nonce ('nonce-...') is required to enable inline execution.

Search%3A%20Search%20with%20search%20in%20pages%20button.mp4:1
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'".
Either the 'unsafe-inline' keyword, a hash ('sha256-tP5iqpjKZrmnaz9cTRYjAqFmS6shSSwenzunZ9/UKB4='), or a nonce ('nonce-...') is required to enable inline execution.

Search%3A%20Search%20with%20search%20in%20pages%20button.mp4:1
Refused to load media from 'https://integration.wikimedia.org/ci/job/mwext-mw-selenium-jessie/814/artifact/log/Search%3A%20Search%20with%20search%20in%20pages%20button.mp4' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'media-src' was not explicitly set, so 'default-src' is used as a fallback.

And the x-content-security-policy is: sandbox; default-src 'none'; img-src 'self'; style-src 'self';

So in short, we might want to set media-src: self. But I cant tell about the security implication.

@hashar should we just decline this, since there is an easy workaround (download the file)?

There is a workaround.