> On 25. Jan 2018, at 07:23, Richard Bywater <
ric...@byh2o.com> wrote:
>
> One of the users of the HTML Publisher has asked if the plugin could be changed to allow additional Content-Security-Policy settings to be set as part of the configuration for the report. (
https://issues.jenkins-ci.org/browse/JENKINS-48764)
>
> I've taken a quick look at the code that seems to output CSP but I'm a bit lost and would be good if someone knows the code a bit better could let me know if its possible at all or not before I try and dig into how it might be done :)
CSP for files served by Jenkins can be modified by the admins as described on
https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy
There's currently no programmatic way to change these defaults for a specific DirectoryBrowserSupport instance. JENKINS-41891 looks a lot more promising.
Plugins overriding the CSP system property is considered a security vulnerability, such as in
https://jenkins.io/security/advisory/2016-07-27/