Jenkins error - Blocked script execution in <URL>. because the document's frame is sandboxed and the 'allow-scripts' permission is not set
We were using this content HTML in a Jenkins userContent directory. We recently upgraded to the latest Jenkins 1.625 LTS version & it seems they've introduced new Content security policy which adds the below header to the response headers & the browsers simply decline to execute anything like stylesheets / Javascripts.
X-Content-Security-Policy: sandbox; default-src 'none'; img-src 'self'; style-src 'self';
To get over it, we had to simply remove this header by resetting the below property in Jenkins.
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "")
Those who upgrade to Jenkins 1.625 & use the userContent folder might be affected by this change.
For more information refer https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy
You need to follow below steps for solution :
- Open the Jenkin home page.
- Go to Manage Jenkins.
- Now go to Script Console.
- And in that console paste below statement and click on Run. System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "")
- After that it will load css and js.
Note : After following the above steps if still it is not loading css and js then clear the browser cache and cookie and refresh the page.
I had the same issue with HTML Publisher Plugin.
According to Jenkins new Content Security Policy, you can bypass it by setting:
hudson.model.DirectoryBrowserSupport.CSP=script-src 'unsafe-inline';
UPDATE:
For some reason on Jenkins 2.x, I had to update arguments again, with an empty CSP value, instead of script-src 'unsafe-inline, in order to fully display external HTML pages:
-Dhudson.model.DirectoryBrowserSupport.CSP=
On Windows there's a jenkins.xml in Jenkins home directory, where you can set global JVM options, such as Jenkins system properties. Simply add it under arguments tag:
<arguments>
-Xrs -Xmx256m
-Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle
"-Dhudson.model.DirectoryBrowserSupport.CSP= "
-jar "%BASE%\jenkins.war" --httpPort=8080
</arguments>
For most of the Linux distributions, you can modify JENKINS_ARGS inside file:
/etc/default/jenkins (or jenkins-oc)
For CentOS, modify JENKINS_JAVA_OPTIONS inside file:
/etc/sysconfig/jenkins (or jenkins-oc)
See more examples in the Content Security Policy Reference: http://content-security-policy.com/
For Jenkins hosted on Ubuntu:
-
put to
/etc/default/jenkinsJAVA_ARGS="${JAVA_ARGS} -Dhudson.model.DirectoryBrowserSupport.CSP=\"\" " visit
http://<your jenkins hostname>/safeRestart
(about this and other options: https://wiki.jenkins.io/display/JENKINS/Features+controlled+by+system+properties)
UPD: this time when I did this the visiting /safeRestart was not enough. I had to do sudo service jenkins restart.
The above answers did not work for me in Ubuntu 16.04 with Jenkins 2.46.2. I had to change JAVA_ARGS in /etc/default/jenkins as
JAVA_ARGS="-Djava.awt.headless=true -Dmail.smtp.starttls.enable=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-scripts; style-src 'unsafe-inline' *;script-src 'unsafe-inline' *;\""
More info here