Badges on Google Chrome

jefferson.divino · April 28, 2021, 2:53pm

Sonarqube version: 8.7
I have a problem to vizualizate project_badges on google chrome, on firefox it’s works fine.

The problem.

I share the project_badges with gitlab, when I access gitlab from google chrome, project_badges are not show.

Logs from google chrome

Request URL: project_badges
Referrer Policy: same-origin
Provisional headers are shown
Referer
sec-ch-ua: " Not A;Brand";v=“99”, “Chromium”;v=“90”, “Google Chrome”;v=“90”
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
project: teste
metric: vulnerabilities

Anybody can help me with this problem?

Thanks

Philippe_Perrin · May 5, 2021, 1:07pm

Hi @jefferson.divino,

In order to be able to help you, I’d need as much information as possible. Please provide me with:

The full details of the request (+ response) that is sent by Chrome (F12, then Network tab)
Snapshots of the issues
Versions of both Chrome and Firefox

Cheers

jefferson.divino · May 5, 2021, 1:34pm

Hello @Philippe_Perrin

Thanks for your answer.

Chrome version: Version 90.0.4430.93 (Official version) 64-bit
Firefox version: 88.0 (64-bit).

Follows screenshot F12 in Chrome

Follows the screenshot of badges when accessing gitlab on Chrome.

Philippe_Perrin · May 5, 2021, 3:23pm

Could you please share your badge configuration on the Gitlab side?

jefferson.divino · May 5, 2021, 4:29pm

This same configuration works fine on firefox.

Philippe_Perrin · May 6, 2021, 2:03pm

I can’t figure out what could be wrong here sorry. I’d like to suggest that you:

Check out the returned http code when you call the Badge image url directly in the Chrome browser url field.
Verify your Badge image url: if your exposing your SonarQube instance to the internet (as it appears), you should definitely use https over http.

Cheers

agabrys · August 11, 2021, 2:45pm

Hello,
Just in case I probably know the cause. The Chrome browser doesn’t send the SonarQube cookies to the server, so the user is not authorized to see the badges. I think it is a security feature in the browser to not send cookies to when a domain name is different etc. Example:

Git server https://example.org/git.server, badges in the README.md file
SonarQube URL: https://my.sonar/

When a badge is accessed directly, by opening https://my.sonarapi/project_badges/measure?project=foobar&metric=alert_status it works, Chrome sends cookies:

set-cookie: JWT-SESSION=long-code; Max-Age=259200; Expires=Sat, 14-Aug-2021 14:29:19 GMT; Path=/; Secure; HttpOnly
set-cookie: XSRF-TOKEN=code; Max-Age=259200; Expires=Sat, 14-Aug-2021 14:29:19 GMT; Path=/; Secure

But when it is requested as image in the README.md file (different domain https://example.org/git.server), the cookies are not set.

Cheers