Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-70738

Publisher does not appear to properly support default-src CSP header setting


    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • htmlpublisher-plugin
    • None
    • Jenkins Version = 2.346.3
      HTML Publisher Version = 1.31

      Had an issue with an HTML page that contains a hyperlink to another website on the same domain as the Jenkins controller.  The hyperlink would not load the page.  I updated the Jenkins default-src to include all websites on our domain (Example: default-src '*.my.domain.com').  After making the setting change to the CSP header in Jenkins, I expected the web page link to work, but it is still being blocked even after I tried to reload the page.  Not sure why this isn't working.  Note that if I open the html page directly via the artifacts html file, the links work as expected. 

      Current CSP setting from System.getProperty("hudson.model.DirectoryBrowserSupport.CSP") is as follows:

      Result: sandbox; default-src '*.my.domain.com'; img-src 'self'; style-src 'self' 'unsafe-inline';

            r2b2_nz Richard Bywater
            varnk Ken Varn
            0 Vote for this issue
            1 Start watching this issue