-
New Feature
-
Resolution: Won't Fix
-
Minor
-
None
https://github.com/jenkinsci/htmlpublisher-plugin/pull/22 Enabled some level of basic CSP compatibility.
Jenkins ver. 2.97;
HTML Publisher plugin 1.14
The CSP that I get when I load reports has:
Content-Security-Policy:sandbox; default-src 'none'; img-src 'self'; style-src 'self';
Scoverage
Refused to frame ... because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
Pegdown - For ScalaTest
Blocked script execution in .../ScalaTest_Report/index.html because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
I believe that the best way to handle this would be checkboxes/a text field where a user could configure additional CSP directives (frame-src 'self' ... and allow-scripts).
There of course should be an option for an admin to whitelist/blacklist parts of the CSP language 
(or disallow extending the CSP directive).
[JENKINS-48764] HTML Publisher Plugin should allow users to add additional CSP bits
Josh Soref
created issue -
Richard Bywater
made changes -
| Issue Type | Original: Bug [ 1 ] | New: New Feature [ 2 ] |
Richard Bywater
made changes -
| Resolution | New: Won't Fix [ 2 ] | |
| Status | Original: Open [ 1 ] | New: Closed [ 6 ] |
Unfortunately there is no programmatic manner for updating the Content Security Policy. The only supported mechanism is via the system property as defined on https://wiki.jenkins.io/display/JENKINS/Configuring+Content+Security+Policy