Chrome "Unsafe attempt to load URL" on same Domains, protocols and ports

I stumbled upon the same problem with out internal Jenkins infrastructure, but it is easily reproducible with the Jenkins Docker image by running it according to its documentation and having a pipeline job producing a XSLT file and a XML file that references that XSLT file. Opening the XML via the workspace folder in the Node Allocate node : Start will fail and Chrome will output the error as stated by the question.

This is not limited to Chrome though as Firefox will report an error as well, looking something like:

Error loading stylesheet: A network error occurred loading an XSLT stylesheet http://build:8080/view/application/job/Project/Report/SourceMonitor.xslt

Solving this is a matter of configuring the Content Security Policy (CSP) Jenkins uses. How Content Security Policy works is explained here: Stackoverflow: How does Content Security Policy work?.

The default CSP configuration for Jenkins is very strict and will not allow a XSL file to be loaded from a document referencing it. The default CSP configuration and how to change it is documented on the Jenkins wiki page.

According to CSP documentation (CR-CSP-20121115 chapter 4.2 script-src) XSL style sheets are treated as scripts and I had to add script-src 'self'; and sandbox allow-same-origin; to the default configuration to make a simple XSL style sheet work. I did this via the Jenkins Script Console by running:

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP","sandbox allow-same-origin; default-src 'none'; img-src 'self'; style-src 'self'; script-src 'self';")

Using System.setProperty changes CSP temporarily until next reboot, it is all documented on the Jenkins wiki page.

Look for any further errors reported by Chrome or other browser because content in the XSLT file may require you to relax other CSP rules as well, such as allowing style tags to be interpreted.