Badges on Google Chrome

Sonarqube version: 8.7
I have a problem to vizualizate project_badges on google chrome, on firefox it’s works fine.

The problem.

I share the project_badges with gitlab, when I access gitlab from google chrome, project_badges are not show.

Logs from google chrome

Logs from google chrome

Request URL: project_badges
Referrer Policy: same-origin
Provisional headers are shown
sec-ch-ua: " Not A;Brand";v=“99”, “Chromium”;v=“90”, “Google Chrome”;v=“90”
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
project: teste
metric: vulnerabilities

Anybody can help me with this problem?


Hi @jefferson.divino,

In order to be able to help you, I’d need as much information as possible. Please provide me with:

  1. The full details of the request (+ response) that is sent by Chrome (F12, then Network tab)
  2. Snapshots of the issues
  3. Versions of both Chrome and Firefox


Hello @Philippe_Perrin

Thanks for your answer.

Chrome version: Version 90.0.4430.93 (Official version) 64-bit
Firefox version: 88.0 (64-bit).

Follows screenshot F12 in Chrome

Follows the screenshot of badges when accessing gitlab on Chrome.

Could you please share your badge configuration on the Gitlab side?

This same configuration works fine on firefox.

I can’t figure out what could be wrong here sorry. I’d like to suggest that you:

  1. Check out the returned http code when you call the Badge image url directly in the Chrome browser url field.
  2. Verify your Badge image url: if your exposing your SonarQube instance to the internet (as it appears), you should definitely use https over http.


Just in case I probably know the cause. The Chrome browser doesn’t send the SonarQube cookies to the server, so the user is not authorized to see the badges. I think it is a security feature in the browser to not send cookies to when a domain name is different etc. Example:

  • Git server, badges in the file
  • SonarQube URL: https://my.sonar/

When a badge is accessed directly, by opening https://my.sonarapi/project_badges/measure?project=foobar&metric=alert_status it works, Chrome sends cookies:

set-cookie: JWT-SESSION=long-code; Max-Age=259200; Expires=Sat, 14-Aug-2021 14:29:19 GMT; Path=/; Secure; HttpOnly
set-cookie: XSRF-TOKEN=code; Max-Age=259200; Expires=Sat, 14-Aug-2021 14:29:19 GMT; Path=/; Secure

But when it is requested as image in the file (different domain, the cookies are not set.