Setting Content-Security-Policy in plugin

18 views
Skip to first unread message

Richard Bywater

unread,
Jan 25, 2018, 1:23:36 AM1/25/18
to jenkin...@googlegroups.com
One of the users of the HTML Publisher has asked if the plugin could be changed to allow additional Content-Security-Policy settings to be set as part of the configuration for the report. (https://issues.jenkins-ci.org/browse/JENKINS-48764)

I've taken a quick look at the code that seems to output CSP but I'm a bit lost and would be good if someone knows the code a bit better could let me know if its possible at all or not before I try and dig into how it might be done :)

Thanks
Richard.

Daniel Beck

unread,
Jan 25, 2018, 3:06:54 AM1/25/18
to jenkin...@googlegroups.com

> On 25. Jan 2018, at 07:23, Richard Bywater <ric...@byh2o.com> wrote:
>
> One of the users of the HTML Publisher has asked if the plugin could be changed to allow additional Content-Security-Policy settings to be set as part of the configuration for the report. (https://issues.jenkins-ci.org/browse/JENKINS-48764)
>
> I've taken a quick look at the code that seems to output CSP but I'm a bit lost and would be good if someone knows the code a bit better could let me know if its possible at all or not before I try and dig into how it might be done :)

CSP for files served by Jenkins can be modified by the admins as described on https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy

There's currently no programmatic way to change these defaults for a specific DirectoryBrowserSupport instance. JENKINS-41891 looks a lot more promising.

Plugins overriding the CSP system property is considered a security vulnerability, such as in https://jenkins.io/security/advisory/2016-07-27/

Richard Bywater

unread,
Jan 25, 2018, 6:53:41 PM1/25/18
to jenkin...@googlegroups.com
Thanks Daniel - good to know some background.

Will go forth and close off the feature request.

Cheers
Richard.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/4AF0A576-0CC2-4204-A59F-452CFEBF32BA%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages