-
Improvement
-
Resolution: Won't Do
-
Major
-
None
-
Jenkins 1.643 (with integrated webserver)
Filing this issue after discussion with danielbeck about JENKINS-32277.
I appreciate the efforts to make Jenkins secure out of the box. But as Daniel pointed out already in his analysis in JENKINS-32026:
, the new CSP policy is relevant only for a minority of the Jenkins installations and breaks functionality which worked for years before.Good point. Unfortunately, while many, possibly most, Jenkins installations may not need this protection because it's not a threat to them...
When I was searching for a workaround when discovered JENKINS-32277, one of the first things I made was looking for an option inside Jenkins Global Security options page. Unfortunately, the option to configure CSP is only available as System Property which is neither obvious nor user friendly. I required to contact the IT department such that they change the Jenkins startup parameters inside the Jenkins.xml file...
Therefore I assume that having that option in the Jenkins Global Security Options page would help a lot.
- is blocking
-
JENKINS-32277 OWASP Dependency-Check Plugin's html-report is unusable
-
- Closed
-
[JENKINS-32296] Jenkins global security configuration page should provide option to configure the new "Content Security Policy"
to keep the setting after system reboot
Did you read https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy ? It explains how to customize this.
Jenkins 2.200 introduced a far superior alternative to overriding the CSP header via system property.
Do we have an update on this? Currently the solution (to keep the setting after system reboot) it to create a job and execute it in an "Execute system Groovy Script" build step. And then under the "Build Triggers" section I selected "Build Periodically" with this value: H 12 * * *
This is NOT a good solution for a problem that doesn't exist for private Jenkins servers, on an issue that was introduced over a year ago.