Reputation: 61
The default Content-Security-Policy is currently overridden using the hudson.model.DirectoryBrowserSupport.CSP issue
After upgrading Jenkins to v2.222.1 we got the below warning message
The default Content-Security-Policy is currently overridden using the hudson.model.DirectoryBrowserSupport.CSP system property, which is a potential security issue when browsing untrusted files. As an alternative, you can set up a Resource Root URL that Jenkins will use to serve some static files without adding Content-Security-Policy headers.
we don't want to have separate source to serve static content meanwhile this warning has to be addressed, pleased provide your suggestions..
Upvotes: 0
Views: 2312
Answers (2)
Reputation: 463
When requesting .css or .js, the following message may occur (blocked:csp).
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-Epaif2cHkSx/K62AHKClT5geuHQeilAdJVvUuNPdcuw='), or a nonce ('nonce-...') is required to enable inline execution.
In that case, you should deal with it like this. Temporarily relaxing Content Security Policy. Go to Manage Jenkins -> Script Console and type into console the following commands:
System.clearProperty("hudson.model.DirectoryBrowserSupport.CSP");
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-same-origin allow-scripts; default-src *; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval' ; font-src * data: ");
Upvotes: 0
Reputation: 534
By default the CSS content will not be displayed when you publish any report using HTML Publisher plugin. Jenkins blocks the CSS based on CSP(Content Security Policy).
Ref: https://www.jenkins.io/doc/book/system-administration/security/configuring-content-security-policy/
To enable CSS content: Manage Jenkins -> Script Console and execute System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "")
When the CSS is enabled you get the following warning The default Content-Security-Policy is currently overridden using the hudson.model.DirectoryBrowserSupport.CSP system property, which is a potential security issue when browsing untrusted files.
To disable it just restart the Jenkins Server. The CSP will be again set to default.
Upvotes: 1
Related Questions
- Jenkins Content Security Policy
- Jenkins unable to read config.xml: hudson.security.GlobalMatrixAuthorizationStrategy hudson.security.LDAPSecurityRealm
- "hudson.security.AccessDeniedException2: anonymous is missing the Overall/Administer permission" error in Jenkins
- Required context class hudson.FilePath is missing Perhaps you forgot to surround the code with a step that provides this, such as: node
- Cannot restore Jenkins security after disabling it in config.xml
- Jenkins HTML Publisher Plugin : allow script permission issue
- publish html plugin: violates the following Content Security Policy directive
- Jenkins groovy security problems
- Jenkins hudson.util.IOException2: remote file operation failed
- hudson.security.AccessDeniedException2: anonymous is missing the Read permission