Content Security Policy (CSP) for Web Report

Last edited on

Introduction

Jenkins 1.641 introduced the Content-Security-Policy (CSP) header to static files served by Jenkins (specifically, DirectoryBrowserSupport). This header is set to a very restrictive default set of permissions to protect Jenkins users from malicious HTML/JS files.

Unfortunately many plugins, including Squish plug-in, are affected by this. Squish plug-in is still able to execute tests, but Web Report from test execution is not displayed properly, unless the default Content-Security-Policy rules are relaxed. This article describes how to modify Content-Security-Policy settings to make Web Report working correctly.

Jenkins default Content Security Policy

The Jenkins default Content Security Policy is:

sandbox; default-src 'none'; img-src 'self'; style-src 'self';

The above rules do not allow to run JavaScript, use of inline CSS or of web fonts.

The Web Report is generated dynamically through JavaScript code based on tests results stored in the file data/results-v1.js. Therefore, with the default CSP settings, the web report is not being displayed correctly (and the web browser's console typically shows multiple errors about blocked script execution and refusing to load fonts and/or stylesheets).

Temporarily relaxing Content Security Policy

To change default Content Security Policy go to Manage Jenkins -> Script Console and type into console the following commands:

System.clearProperty("hudson.model.DirectoryBrowserSupport.CSP");
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-same-origin allow-scripts; default-src 'self'; script-src * 'unsafe-eval'; img-src *; style-src * 'unsafe-inline'; font-src * data:");

Then try to the view Web Report again.

Permanently relaxing Content Security Policy

The above solution will be effective immediately, but restarting Jenkins server will reset Content Security Policy settings to their defaults.

To implement a permanent solution one must modify/add Java arguments to the start of Jenkins (jenkins.war) by setting the system property hudson.model.DirectoryBrowserSupport.CSP for the Java process itself (i.e. this cannot be done in the Jenkins Script Console).

General approach

For example you may have this simple command (possibly in a .bat, .cmd or shell script file) for launching Jenkins:

java -jar jenkins.war

After adding setting of hudson.model.DirectoryBrowserSupport.CSP to it:

java -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-same-origin allow-scripts; default-src 'self'; script-src * 'unsafe-eval'; img-src *; style-src * 'unsafe-inline'; font-src * data:" -jar jenkins.war

On Debian/Ubuntu

Edit /etc/default/jenkins by changing the entry…

JAVA_ARGS="..."

…to…

JAVA_ARGS="... \"-Dhudson.model.DirectoryBrowserSupport.CSP=sandbox allow-same-origin allow-scripts; default-src 'self'; script-src * 'unsafe-eval'; img-src *; style-src * 'unsafe-inline'; font-src *;\""

On RedHat/CentOS

Edit /etc/sysconfig/jenkins by changing the entry…

JENKINS_JAVA_OPTIONS="..."

…to…

JENKINS_JAVA_OPTIONS="... \"-Dhudson.model.DirectoryBrowserSupport.CSP=script-src 'unsafe-inline';\""

On Windows

On Windows there may be a file called jenkins.xml in the Jenkins installation where this can be added to the arguments tag:

<arguments>
    -Xrs -Xmx256m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle
    "-Dhudson.model.DirectoryBrowserSupport.CSP=script-src 'unsafe-inline';"
    -jar "%BASE%\jenkins.war" --httpPort=8080
</arguments>
Excerpt from jenkins.xml

Verify current Content Security Policy

To verify current Content Security Policy go to Manage Jenkins -> Script Console and type into console the following command:

println(System.getProperty("hudson.model.DirectoryBrowserSupport.CSP"))