Jenkins 1.641 introduced the Content-Security-Policy (CSP) header to static files served by Jenkins (specifically, DirectoryBrowserSupport). This header is set to a very restrictive default set of permissions to protect Jenkins users from malicious HTML/JS files.
Unfortunately many plugins, including Squish plug-in, are affected by this. Squish plug-in is still able to execute tests, but Web Report from test execution is not displayed properly, unless the default Content-Security-Policy rules are relaxed. This article describes how to modify Content-Security-Policy settings to make Web Report working correctly.
Jenkins default Content Security Policy¶
The Jenkins default Content Security Policy is:
data/results-v1.js. Therefore, with the default CSP settings, the web report is not being displayed correctly (and the web browser’s console typically shows multiple errors about blocked script execution and refusing to load fonts and/or stylesheets).
Temporarily relaxing Content Security Policy¶
To change default Content Security Policy go to Manage Jenkins -> Script Console and type into console the following commands:
Then try to the view Web Report again.
Permanently relaxing Content Security Policy¶
The above solution will be effective immediately, but restarting Jenkins server will reset Content Security Policy settings to their defaults.
To implement a permanent solution one must modify/add Java arguments to the start of Jenkins (
jenkins.war) by setting the system property hudson.model.DirectoryBrowserSupport.CSP for the Java process itself (i.e. this cannot be done in the Jenkins Script Console).
For example you may have this simple command (possibly in a
.cmd or shell script file) for launching Jenkins:
After adding setting of hudson.model.DirectoryBrowserSupport.CSP to it:
Edit /etc/default/jenkins by changing the entry…
Edit /etc/sysconfig/jenkins by changing the entry…
On Windows there may be a file called
jenkins.xml in the Jenkins installation where this can be added to the
Verify current Content Security Policy¶
To verify current Content Security Policy go to Manage Jenkins -> Script Console and type into console the following command: