-
New Feature
-
Resolution: Won't Fix
-
Minor
-
None
https://github.com/jenkinsci/htmlpublisher-plugin/pull/22 Enabled some level of basic CSP compatibility.
Jenkins ver. 2.97;
HTML Publisher plugin 1.14
The CSP that I get when I load reports has:
Content-Security-Policy:sandbox; default-src 'none'; img-src 'self'; style-src 'self';
Scoverage
Refused to frame ... because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
Pegdown - For ScalaTest
Blocked script execution in .../ScalaTest_Report/index.html because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
I believe that the best way to handle this would be checkboxes/a text field where a user could configure additional CSP directives (frame-src 'self' ... and allow-scripts).
There of course should be an option for an admin to whitelist/blacklist parts of the CSP language 
(or disallow extending the CSP directive).
Unfortunately there is no programmatic manner for updating the Content Security Policy. The only supported mechanism is via the system property as defined on https://wiki.jenkins.io/display/JENKINS/Configuring+Content+Security+Policy