Jenkins Content Security Policy

While experimenting, I recommend using the Script Console to adjust the CSP parameter dynamically as described on the Configuring Content Security Policy page. (There's another note in the Jenkins wiki page that indicates you may need to Force Reload the page to see the new settings.)

In order to use both inline styles and local stylesheets, you need to add both self and unsafe-inline:

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; style-src 'self' 'unsafe-inline';")

Depending on how the progressbar is manipulated, you may need to adjust 'script-src' in the same way as well.

Once you find a setting that works, you can adjust the Jenkins startup script to add the CSP parameter definition.

Just to be clear about setting this CSP property permanently on Jenkins.

If you are running Jenkins on Ubuntu:

1. $ vim /etc/default/jenkins
2. Find the line with JAVA_ARGS and add the CSP policy like this: JAVA_ARGS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src data:;\""

If you are running Jenkins on CentOS:

1. $ vim /etc/sysconfig/jenkins
2. Find the line with JENKINS_JAVA_OPTIONS and add the CSP policy like this: JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src data:;\""

Save the file and restart Jenkins.$ sudo service jenkins restart or in your browser http://localhost:8080/safeRestart

Below properties worked for me. The following properties allow all the external servers.

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';")