Content Security Policy (CSP) for Web Report

Skip to end of metadata
Go to start of metadata

Table of Contents


Jenkins 1.641 introduced the Content-Security-Policy (CSP) header to static files served by Jenkins (specifically, DirectoryBrowserSupport). This header is set to a very restrictive default set of permissions to protect Jenkins users from malicious HTML/JS files.

Unfortunately many plugins, including Squish plug-in, are affected by this. Squish plug-in is still able to execute tests, but Web Report from test execution is not displayed properly, unless the default Content-Security-Policy rules are relaxed. This article describes how to modify Content-Security-Policy settings to make Web Report working correctly.

Jenkins default Content Security Policy

The Jenkins default Content Security Policy is:

The above rules do not allow to run JavaScript, use of inline CSS or of web fonts.

The Web Report is generated dynamically through JavaScript code based on tests results stored in the file data/results-v1.js. Therefore, with the default CSP settings, the web report is not being displayed correctly (and the web browser's console typically shows multiple errors about blocked script execution and refusing to load fonts and/or stylesheets).

Temporarily relaxing Content Security Policy

To change default Content Security Policy go to Manage Jenkins -> Script Console and type into console the following commands:

Then try to the view Web Report again.

Permanently relaxing Content Security Policy

The following instructions are not for use in the Jenkins Script Console (Manage Jenkins -> Script Console).

The above solution will be effective immediately, but restarting Jenkins server will reset Content Security Policy settings to their defaults.

To implement a permanent solution one must modify/add Java arguments to the start of Jenkins (jenkins.war) by setting the system property hudson.model.DirectoryBrowserSupport.CSP for the Java process itself (i.e. this cannot be done in the Jenkins Script Console).

General approach

For example you may have this simple command (possibly in a .bat, .cmd or shell script file) for launching Jenkins:

After adding setting of hudson.model.DirectoryBrowserSupport.CSP to it:

On Debian/Ubuntu

Edit /etc/default/jenkins by changing the entry...

On RedHat/CentOS

Edit /etc/sysconfig/jenkins by changing the entry...

On Windows

On Windows there may be a file called jenkins.xml in the Jenkins installation where this can be added to the arguments tag:

Excerpt from jenkins.xml

Verify current Content Security Policy

To verify current Content Security Policy go to Manage Jenkins -> Script Console and type into console the following command:

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.