How to relax content security policy in Jenkins
A while ago, I used a fancy Reporting plugin for my tests and it looked great on my local machine. I was so happy seeing it and executed my tests on a Jenkins machine. With full positivity, I clicked on HTML reports to view the results on the machine and was shell shocked to see all those beautiful CSS was stripped away :
So that happened and i dug into Jenkins documentation and found the culprit — its the default content security policy.
The default rule is set to:
sandbox; default-src 'none'; img-src 'self'; style-src 'self';This ruleset results in the following:
- No JavaScript allowed at all
- No plugins (object/embed) allowed
- No inline CSS, or CSS from other sites allowed
- No images from other sites allowed
- No frames allowed
- No web fonts allowed
- No XHR/AJAX allowed, etc.
So how do we relax this?
Go to
- Manage Jenkins->
- Manage Nodes->
- Click settings(gear icon)->
- click Script console on left and type in the following command:
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "")
and Press Run. If you see the output as ‘Result:’ below “Result” header then the protection is disabled.
After I did that, My report looked like this:
So all good right? Nope. The changes we made stays only for the session. So how do we make sure the changes are applied all the time?
You can add this to your jenkins.xml file and restart it :
<arguments>-Xrs -Xmx256m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-scripts; default-src 'self'; style-src 'self' 'unsafe-inline';" -jar "%BASE%\jenkins.war" --httpPort=8080 --webroot="%BASE%\war"</arguments>But there is an easier hack as well. You can create a CI Job which just runs this groovy script every hour :
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "")Voila! The issue was resolved and I could get back to the Happy mood. Cheers!