Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Jenkins 1.641 / Jenkins 1.625.3 introduce the Content-Security-Policy header to static files served by Jenkins (specifically, specifically DirectoryBrowserSupport). This header is set to a very restrictive default set of permissions to protect Jenkins users from malicious HTML/JS files in workspaces, /userContent, or archived artifacts.

Unfortunately, several popular, useful plugins are affected by this and lose part of their functionality unless the default rules are relaxed.

Table of Contents

The Default Rule Set

The default rule is set to:


  • sandbox limits a number of things of what the page can do, similar to the sandbox attribute set on iframes. For a full list of what is prohibited, see this site. This attribute is not widely supported.
  • default-src 'none' probihits loading  prohibits loading scripts, URLs for AJAX/XHR/WebSockets/EventSources, fonts, plugin objects, media, and frames from anywhere (images and styles would also be prohibited, but are allowed by more specific rules described below).
  • img-src 'self' allows loading images from other files served by Jenkins. Inline image definitions are prohibited.
  • style-src 'self' allows loading style sheets from other files served by Jenkins. Inline style sheets are prohibited.