Jenkins Content Security Policy

Thomas picture Thomas · Jun 3, 2016 · Viewed 35.5k times · Source

I'm confused about Jenkins Content Security Policy.

I know these sites:

I have a html page shown via Jenkins Clover Plugin. This html page uses inline style, e.g.:

<div class='greenbar' style='width:58px'>

The div-element visualizes a progressbar. Using the default Jenkins CSP configuration leads to the following result: Progressbar_FAIL

The result i want to have looks like this: Progressbar_WORKS

I tried to relax the CSP rules, adding different combinations of parameters (script-src, style-src) with different levels (self, unsafe-inline,..) but nothing works.

So my questions for now:

  1. Where do i have to specify the CSP configuration?
  2. Is it possible to use inline styles?
  3. Where should the styles be located? My css-stylesheets are located local on the Jenkins Server.
  4. What is the best way to get inline style and CSP rules "satisfied"

Update

1. Try: -Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self' in the jenkins.xml file. Then the following error occurs:

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

2. Try -Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'; style-src 'self' in the jenkins.xml file. Then the following error occurs:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-'), or a nonce ('nonce-...') is required to enable inline execution

I understand that this try can not solve my problem, because default-src includes style-src

3. Try -Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'; style-src 'unsafe-inline' in the jenkins.xml file. Then the following error occurs:

Refused to load the stylesheet s://jenkins/andsomedir/stylesheet.css [its https://... not allowed to post more than two links :(] because it violates the following Content Security Policy directive: "style-src 'unsafe-inline'".

Answer

Dave Bacher picture Dave Bacher · Jun 3, 2016

While experimenting, I recommend using the Script Console to adjust the CSP parameter dynamically as described on the Configuring Content Security Policy page. (There's another note in the Jenkins wiki page that indicates you may need to Force Reload the page to see the new settings.)

In order to use both inline styles and local stylesheets, you need to add both self and unsafe-inline:

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; style-src 'self' 'unsafe-inline';")

Depending on how the progressbar is manipulated, you may need to adjust 'script-src' in the same way as well.

Once you find a setting that works, you can adjust the Jenkins startup script to add the CSP parameter definition.