https://github.com/jenkinsci/htmlpublisher-plugin/pull/22 Enabled some level of basic CSP compatibility.

Jenkins ver. 2.97;
HTML Publisher plugin 1.14

The CSP that I get when I load reports has:

Content-Security-Policy:sandbox; default-src 'none'; img-src 'self'; style-src 'self';

Scoverage

Refused to frame ... because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

Pegdown - For ScalaTest

Blocked script execution in .../ScalaTest_Report/index.html because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

I believe that the best way to handle this would be checkboxes/a text field where a user could configure additional CSP directives (frame-src 'self' ... and allow-scripts).

There of course should be an option for an admin to whitelist/blacklist parts of the CSP language  (or disallow extending the CSP directive).