Jenkins Content Security Policy

Question

I\'m confused about Jenkins Content Security Policy.

I know these sites:

• Configuring Content Security Policy
• Content Security Policy Reference

Answer 1

Trying to share my procedures I always follow one of theseworkarounds. However you need to pay attention to your security constraints since applying these fixes would be potentially insecure.

1. Temporal fix:

Go to Jenkins console and applythe following commands depending on the kind of CSP policies relaxation that you want.

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts; default-src 'self'; style-src 'self' 'unsafe-inline'; script-src * 'unsafe-inline';")

This workaround is aimed for temporal tests or dev environment.

If you want to change it permanently add this to the java command when you run the application:

-Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-scripts; default-src 'self'; style-src 'self' 'unsafe-inline';"

Finally I strongly suggest you to read these articles:

Official Jenkins documentation https://wiki.jenkins.io/display/JENKINS/Configuring+Content+Security+Policy

Workarounds to reset CSP rules temporary or permanently: https://www.cyotek.com/blog/adjusting-the-jenkins-content-security-policy