Had an issue with an HTML page that contains a hyperlink to another website on the same domain as the Jenkins controller.  The hyperlink would not load the page.  I updated the Jenkins default-src to include all websites on our domain (Example: default-src '*.my.domain.com').  After making the setting change to the CSP header in Jenkins, I expected the web page link to work, but it is still being blocked even after I tried to reload the page.  Not sure why this isn't working.  Note that if I open the html page directly via the artifacts html file, the links work as expected. 

Current CSP setting from System.getProperty("hudson.model.DirectoryBrowserSupport.CSP") is as follows:

Result: sandbox; default-src '*.my.domain.com'; img-src 'self'; style-src 'self' 'unsafe-inline';