Jenkins 2.539+ has a built-in Content Security Policy feature.

Docs: https://www.jenkins.io/doc/book/security/csp/ 

This plugin is not compatible with it yet due to:

https://github.com/jenkinsci/qualys-cs-plugin/blob/ab5e8c023dc5ef6268cb629380676779de4bd993/src/main/resources/com/qualys/plugins/containerSecurity/report/ReportAction/index.jelly#L259

https://github.com/jenkinsci/qualys-cs-plugin/blob/ab5e8c023dc5ef6268cb629380676779de4bd993/src/main/resources/com/qualys/plugins/containerSecurity/config/QualysGlobalConfig/config.jelly#L237

https://github.com/jenkinsci/qualys-cs-plugin/blob/ab5e8c023dc5ef6268cb629380676779de4bd993/src/main/resources/com/qualys/plugins/containerSecurity/GetImageVulnsNotifier/config.jelly#L64

https://github.com/jenkinsci/qualys-cs-plugin/blob/ab5e8c023dc5ef6268cb629380676779de4bd993/src/main/resources/com/qualys/plugins/containerSecurity/GetImageVulnsNotifier/config.jelly#L359

https://github.com/jenkinsci/qualys-cs-plugin/blob/ab5e8c023dc5ef6268cb629380676779de4bd993/src/main/resources/com/qualys/plugins/containerSecurity/config/QualysGlobalConfig/config.jelly#L179

https://github.com/jenkinsci/qualys-cs-plugin/blob/ab5e8c023dc5ef6268cb629380676779de4bd993/src/main/resources/com/qualys/plugins/containerSecurity/GetImageVulnsNotifier/config.jelly#L295

https://github.com/jenkinsci/qualys-cs-plugin/blob/ab5e8c023dc5ef6268cb629380676779de4bd993/src/main/resources/com/qualys/plugins/containerSecurity/GetImageVulnsNotifier/config.jelly#L169

As a result, admins have to choose between this plugin working, and improved security.

This plugin should be made compatible with CSP and its code rearranged.

Developer docs: https://www.jenkins.io/doc/developer/security/csp/