See content-security-policy.com for a reference on this header and its possible values.
Getting things working
The most expedient approach is to use Jenkins 2.200+ and set up a second domain pointing to the same Jenkins instance (Jenkins URL: build.example.com; Resource Root URL: build-artifacts.example.com). This will result in resources being served from the resource root URL instead of the Jenkins URL. The advantage of this is that there are no cookies associated with this domain, and file paths are hopefully sufficiently non predictable that people won't be able to exfiltrate content.
The resource root URLs linked from Jenkins include individual secret keys which can be shared by users to people who don't otherwise have permission to access Jenkins. They have a site-wide configurable timeout.
Relaxing The Rules
This is highly discouraged. If
resource root URL doesn't work for you, please reach out to the Jenkins team.
It depends on the specific Jenkins setup whether relaxing these rules substantially is safe.