While turning this policy off completely is not recommended it can be beneficial to adjust the policy to be less restrictive, allowing the user of external reports without compromising security.
Although I described modifying the CSP in an earlier post, I didn't realise at the time of publishing that the method I mentioned was only temporarily, and as soon as Jenkins was restarted, the defaults were reapplied. This post both covers that original method, and how to do it permanently, serving as a stand-alone reference.
The hudson.model.DirectoryBrowserSupport.CSP setting
The contents of the CSP headers are defined by the
hudson.model.DirectoryBrowserSupport.CSP setting and supports
a wide range of values - the CSP specification is very flexible
and allows you to control how pretty much any type of resource
The specific configuration values are beyond the scope of this post, but you can learn more about CSP settings at a reference site.
sandbox allow-scripts; default-src 'self'; style-src 'self' 'unsafe-inline';
To change the CSP, open the Script Console in Jenkins administration section, and run the following command
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts; default-src 'self'; style-src 'self' 'unsafe-inline';")
Permanently changing the Content Security Policy when running Jenkins via the command line
If you run Jenkins via the command line, e.g. by calling
java.exe, you can add an extra argument to set the value of
the CSP setting.
The Java documentation states you can use the
to set a "system property value", allowing us to add the
following to the command line
-Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-scripts; default-src 'self'; style-src 'self' 'unsafe-inline';"
A note on order of arguments
There's one important caveat though - the ordering of the parameters is important. I run Jenkins as a Windows service (more on that in the next section) and the command line I use looks similar to the following
-Xrs -Xmx256m -Dfile.encoding=UTF8 -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "%BASE%\jenkins.war" --httpPort=<PORTNUM> --webroot="%BASE%\war"
Permanently changing the Content Security Policy when Jenkins is running as a Windows Service
If you run Jenkins as a Windows Service, the command parameters
are read from
jenkins.xml, which is located in your main
Jenkins installation. If you open this file in the text editor
of your choice, you should see XML similar to the following
<service> <id>jenkins</id> <name>Jenkins</name> <description>This service runs Jenkins continuous integration system.</description> <env name="JENKINS_HOME" value="%BASE%"/> <executable>%BASE%\jre\bin\java</executable> <arguments>-Xrs -Xmx256m -Dfile.encoding=UTF8 -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "%BASE%\jenkins.war" --httpPort=<PORTNUM> --webroot="%BASE%\war"</arguments> <logmode>rotate</logmode> <onfailure action="restart" /> </service>
Note: The contents of the
argumentselement must be a single line, if line breaks are present the service will terminate on startup
Checking the value of the Content Security Policy setting
An easy way to check the CSP policy (regardless of if you set it via the command line or the Script Console) is to use Jenkins' System Information view. This view includes a System Properties table, if a custom CSP is in use, this will be displayed in the table.
- 2017-02-03 - First published
- 2020-11-21 - Updated formatting