Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

See content-security-policy.com for a reference on this header and its possible values.

Getting things working

The most expedient approach is to use Jenkins 2.200+ and set up a second domain pointing to the same Jenkins instance (Jenkins URL: build.example.com; Resource Root URL: build-artifacts.example.com). This will result in resources being served from the resource root URL instead of the Jenkins URL. The advantage of this is that there are no cookies associated with this domain, and file paths are hopefully sufficiently non predictable that people won't be able to exfiltrate content.

Considerations

The resource root URLs linked from Jenkins include individual secret keys which can be shared by users to people who don't otherwise have permission to access Jenkins. They have a site-wide configurable timeout.

Relaxing The Rules

This is highly discouraged. If resource root URL  doesn't work for you, please reach out to the Jenkins team.

Considerations

It depends on the specific Jenkins setup whether relaxing these rules substantially is safe.

...