Jenkins Content Security Policy

html css jenkins content-security-policy

While experimenting, I recommend using the Script Console to adjust the CSP parameter dynamically as described on the Configuring Content Security Policy page. (There's another note in the Jenkins wiki page that indicates you may need to Force Reload the page to see the new settings.)

In order to use both inline styles and local stylesheets, you need to add both self and unsafe-inline:

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; style-src 'self' 'unsafe-inline';")

Depending on how the progressbar is manipulated, you may need to adjust 'script-src' in the same way as well.

Once you find a setting that works, you can adjust the Jenkins startup script to add the CSP parameter definition.


Just to be clear about setting this CSP property permanently on Jenkins.

If you are running Jenkins on Ubuntu:

  1. $ vim /etc/default/jenkins
  2. Find the line with JAVA_ARGS and add the CSP policy like this: JAVA_ARGS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src data:;\""

If you are running Jenkins on CentOS:

  1. $ vim /etc/sysconfig/jenkins
  2. Find the line with JENKINS_JAVA_OPTIONS and add the CSP policy like this: JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src data:;\""

Save the file and restart Jenkins. $ sudo service jenkins restart or in your browser http://localhost:8080/safeRestart


Below properties worked for me. The following properties allow all the external servers.

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';")

To add more to the @Kirill's answer ...

If jenkins is deployed in tomcat container, set the CATALINA_OPTS environment value in setenv.sh file ( Present in ${CATALINA_BASE}/bin Folder ) as highlighted below:-

export CATALINA_OPTS="-Xmx2048m -Xms2048m -XX:MaxNewSize=768m -XX:-HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=${CATALINA_BASE}/logs/java.hprof -XX:ParallelGCThreads=2 -XX:-UseConcMarkSweepGC -Dcom.sun.management.jmxremote -Dhudson.model.DirectoryBrowserSupport.CSP=\"\"

or 

export CATALINA_OPTS="-Xmx2048m -Xms2048m -XX:MaxNewSize=768m -XX:-HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/software/jenkins/tomcat_jenkins/logs/java.hprof -XX:ParallelGCThreads=2 -XX:-UseConcMarkSweepGC -Dcom.sun.management.jmxremote -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-scripts; default-src 'self'; script-src *; 'unsafe-eval'; img-src *; style-src *; 'unsafe-inline'; font-src *;\

After Changing the above file, restart the tomcat. It worked like charm to me. Hope it helps :)

Note:- CSP is only applicable for the plugins like HTML publisher, maven plugin . It didn't work for email html file.

Related

Android Volley ImageLoader - BitmapLruCache parameter?
Accessing request.user in class based generic view CreateView in order to set FK field in Django
How to play MP3 files in C?
How to remove the hash from the url in react-router
UISwipeGestureRecognizer Swipe length
Understanding upper and lower bounds on ? in Java Generics
How to get TreeViewItem from HierarchicalDataTemplate item?
pandas: slice a MultiIndex by range of secondary index
ArrayList vs LinkedList from memory allocation perspective
Android: RunOnUiThread vs AsyncTask
JQuery allow only two numbers after decimal point
Iterate over pairs in a list (circular fashion) in Python