Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-57271

CSP Directive impossible to define in startup scripts


    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • core
    • None
    • macOS X, java 1.8.0_128

      Since quite some time Jenkins enforces a strict content security policy on HTML files generated by build jobs. The page https://wiki.jenkins.io/display/JENKINS/Configuring+Content+Security+Policy explains the reasons behind and available ways to configure a different setting, mainly through the setting of a JVM argument that has to be added to the Jenkins command line.

      Now, the issue with this is that this JVM argument naturally contains spaces, because this is what the CSP standard dictates, and the command line parser seems to be buggy to interpret JVM arguments that contain spaces within it when given via a shell variable (related: http://mail.openjdk.java.net/pipermail/jmh-dev/2015-March/001768.html).

      Consider the following trivial example:


      public class Test {
      	public static void main(String[] args) {


      args="-Dfoo.bar=\"bla foo\""
      exec java $args Test

      This won't work but output

      error: Could not find or load main class foo"

      while executing it directly works:

      $ java -Dfoo.bar="bla foo" Test
      bla foo

      Notice how all of the following also do not work and fail:

      • args='-Dfoo.bar="bla foo"'
      • args="-Dfoo.bar='bla foo'"
      • args='-Dfoo.bar=\'bla foo\''
      • args='-Dfoo.bar=bla\ foo'
      • args="\"-Dfoo.bar=bla foo\""

      Since Jenkins instances are mainly executed indirectly from shell scripts, this seems to be a bummer, since there is no obvious way to send that CSP configuration into Jenkins. Maybe there is a total obscure way of doing it, but it's not obvious for somebody with only basic shell fu knowledge like me, so


      I wish the CSP configuration (and possibly other related configurations) could simply be done from within the Jenkins UI and be persisted there. If then somehow magically a command line argument pops up for the same setting, it could easily override the setting saved persistently through the UI, but this should really be made easier.

            Unassigned Unassigned
            thomaskeller Thomas Keller
            0 Vote for this issue
            1 Start watching this issue