Jenkins 1.641 / Jenkins 1.625.3 introduce the
Content-Security-Policy header to static files served by Jenkins (specifically, specifically
DirectoryBrowserSupport). This header is set to a very restrictive default set of permissions to protect Jenkins users from malicious HTML/JS files in workspaces,
/userContent, or archived artifacts.
Unfortunately, several popular, useful plugins are affected by this and lose part of their functionality unless the default rules are relaxed.
|Table of Contents|
The Default Rule Set
The default rule is set to:
sandboxlimits a number of things of what the page can do, similar to the
sandboxattribute set on iframes. For a full list of what is prohibited, see this site. This attribute is not widely supported.
default-src 'none'probihits loading prohibits loading scripts, URLs for AJAX/XHR/WebSockets/EventSources, fonts, plugin objects, media, and frames from anywhere (images and styles would also be prohibited, but are allowed by more specific rules described below).
img-src 'self'allows loading images from other files served by Jenkins. Inline image definitions are prohibited.
style-src 'self'allows loading style sheets from other files served by Jenkins. Inline style sheets are prohibited.