Jenkins 1.641 introduced the Content-Security-Policy (CSP) header to static files served by Jenkins (specifically, DirectoryBrowserSupport). This header is set to a very restrictive default set of permissions to protect Jenkins users from malicious HTML/JS files.
Unfortunately many plugins, including Squish plug-in, are affected by this. Squish plug-in is still able to execute tests, but Web Report from test execution is not displayed properly, unless the default Content-Security-Policy rules are relaxed. This article describes how to modify Content-Security-Policy settings to make Web Report working correctly.
The Jenkins default Content Security Policy is:
To change default Content Security Policy go to Manage Jenkins -> Script Console and type into console the following commands:
Then try to the view Web Report again.
|The following instructions are not for use in the Jenkins Script Console (Manage Jenkins -> Script Console).|
The above solution will be effective immediately, but restarting Jenkins server will reset Content Security Policy settings to their defaults.
To implement a permanent solution one must modify/add Java arguments to the start of Jenkins (jenkins.war) by setting the system property hudson.model.DirectoryBrowserSupport.CSP for the Java process itself (i.e. this cannot be done in the Jenkins Script Console).
For example you may have this simple command (possibly in a .bat, .cmd or shell script file) for launching Jenkins:
After adding setting of hudson.model.DirectoryBrowserSupport.CSP to it:
Edit /etc/default/jenkins by changing the entry...
Edit /etc/sysconfig/jenkins by changing the entry...
On Windows there may be a file called jenkins.xml in the Jenkins installation where this can be added to the arguments tag:
To verify current Content Security Policy go to Manage Jenkins -> Script Console and type into console the following command: