Plugin compatibility with Content Security Policy in Jenkins 2.539+
8 views
Skip to first unread message
Daniel Beck
Jan 11, 2026, 6:16:36 PM (10 hours ago) Jan 11
to Jenkins Developers
Hi everyone,
Since Jenkins 2.539, Content Security Policy support is a core feature that admins can opt in to[1]. It helps protect from cross-site scripting vulnerabilities on the Jenkins UI. This is different from similar protection in DirectoryBrowserSupport (usually serving user content) that has existed for many years.
While the vast majority of plugins is compatible with these new restrictions, many are not yet. With the first LTS release with this feature coming soon, now would be a good time to check the list[2] of known incompatible plugins to see whether any of yours still need some work. The most common problems and their solutions are documented[3]. Most problems do not require a Jenkins core dependency update to fix either. There might also be an open PR waiting for you already.
If you have questions or need help, feel free to ping me directly on GH or in Jira, or send a message in Gitter (directly or in jenkinsci/csp).
Daniel
1: https://www.jenkins.io/doc/book/security/csp/
2: https://github.com/daniel-beck/csp-compatibility (temporary location)
3: https://www.jenkins.io/doc/developer/security/csp/
Since Jenkins 2.539, Content Security Policy support is a core feature that admins can opt in to[1]. It helps protect from cross-site scripting vulnerabilities on the Jenkins UI. This is different from similar protection in DirectoryBrowserSupport (usually serving user content) that has existed for many years.
While the vast majority of plugins is compatible with these new restrictions, many are not yet. With the first LTS release with this feature coming soon, now would be a good time to check the list[2] of known incompatible plugins to see whether any of yours still need some work. The most common problems and their solutions are documented[3]. Most problems do not require a Jenkins core dependency update to fix either. There might also be an open PR waiting for you already.
If you have questions or need help, feel free to ping me directly on GH or in Jira, or send a message in Gitter (directly or in jenkinsci/csp).
Daniel
1: https://www.jenkins.io/doc/book/security/csp/
2: https://github.com/daniel-beck/csp-compatibility (temporary location)
3: https://www.jenkins.io/doc/developer/security/csp/
Reply all
Reply to author
Forward
0 new messages