Jenkins Content Security Policy

Jenkins Content Security Policy

While experimenting, I recommend using the Script Console to adjust the CSP parameter dynamically as described on the Configuring Content Security Policy page. (There's another note in the Jenkins wiki page that indicates you may need to Force Reload the page to see the new settings.)

In order to use both inline styles and local stylesheets, you need to add both self and unsafe-inline:

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; style-src 'self' 'unsafe-inline';")

Depending on how the progressbar is manipulated, you may need to adjust 'script-src' in the same way as well.

Once you find a setting that works, you can adjust the Jenkins startup script to add the CSP parameter definition.

Jenkins HTML Publisher Plugin : allow script permission issue

Can you have a try with a blank CSP option?

/usr/bin/java -Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP= -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080 --ajp13Port=-1

On my Jenkins instance, it solved my reporting issues.

I know it's not a safe option, but I didn't find another solution :(

publish html plugin: violates the following Content Security Policy directive

You can disable CSP at all by setting Dhudson.model.DirectoryBrowserSupport.CSP= to empty string.

See Configuring Content Security Policy, CSP directives

Content Security Policy: Refused to load image

Based on your input and the error message you are likely trying to add a CSP to a page that already has one. Adding another policy won't make the existing one less strict. The existing policy can be found in a response header or a meta tag. You need to identify the policy and where it is set and modify that one. Alternatively you can remove it and use the one you have shown above.

---

Related Topics