Status: Closed (View Workflow)
Dealing with Content-Security-Policy is just too annoying, and there's too many plugins trying to just serve static files in Jenkins, often for no real reason.
We need second domain support for static resources (DirectoryBrowserSupport) such that accessing that is possible without authentication, just with a token, and that token is used for linked resources as well.
- relates to
JENKINS-59849 Spaces don't work in resource root paths
JENKINS-59874 Support resource domain
- links to
I don’t think changing the property value needs a Jenkins restart. DirectoryBrowserSupport rereads it every time: https://github.com/jenkinsci/jenkins/blob/f48c5f552f72485658c1c98482b42ae42ed1ee8c/core/src/main/java/hudson/model/DirectoryBrowserSupport.java#L380
You could use the developer features of the web browser to check whether the HTTP response still has a Content-Security-Policy header and what kind.
kon Thank for your response. I was also looking at second option of configuring resource root url. But what is the resource root URL. for the html files which were generated and available in Jenkins workspace ?
To keep it simple, how to generate the resource root URL for static files or html files present in the Jenkins workspace ?
I don’t really have experience with the resource root URL setting, but from what I understand, you don’t “generate” it; rather, you register another hostname in DNS, pointing to your Jenkins controller host, and configure that as the resource root in Jenkins. Then when a user tries to access “untrusted” files (such as files in workspaces) with a Web browser, Jenkins redirects to a URL within the resource root and serves the file from there.
So, you should talk about the resource hostname with the people who maintain your DNS. They might decide that you need to use a separate second-level domain (like GitHub has github.com for its own UI but githubusercontent.com for untrusted files). Jenkins does not mandate such a strict separation and would be happy with a subdomain for the resources, but perhaps your corporate network has some other web servers that need to be protected from potentially malicious scripts in untrusted files that Jenkins serves under the resource root URL.
This is an issue tracker, please ask development questions on the dev list to a much larger audience.
Hi All, we are using a performance tool that generated html content based on the jinja templates and we want to publish those inside Jenkins.
The html content is not displayed properly, I understand that its due to Content Security Policy. When I tried to run some commands like System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", ""), still the html content is not displayed properly. Does it need a jenkins restart ?
Now here comes the question of resoure root URL. I have these files generated and archived inside the Jenkins workspace. What should be the URL I need to provide ?
When I open the html in the browser its pointing to the location in which its present but not any particular website.
Can some one please help ?