This page describes the restrictions applied by potentially untrusted files served by Jenkins by default and how to customize them.
The default rule set results in the following:
sandbox allow-same-origin
limits a number of things of what the page can do, similar to the
sandbox
attribute set on iframes.
For a full list of what is prohibited, see
this site
.
This attribute is not widely supported.
default-src 'none'
prohibits loading scripts, URLs for AJAX/XHR/WebSockets/EventSources, fonts, plugin objects, media, and frames from anywhere (images and styles would also be prohibited, but
are allowed by more specific rules described below).
img-src 'self'
allows loading images from other files served by Jenkins.
Inline image definitions are prohibited.
style-src 'self'
allows loading style sheets from other files served by Jenkins.
Inline style sheets are prohibited.
It is strongly recommended to set up the
Resource Root URL
instead of customizing Content-Security-Policy.
Most of the documentation below was written when
Content-Security-Policy
was first introduced and is retained for use by administrators unable to set up Jenkins to serve user content from a different domain.
It depends on the specific Jenkins setup whether relaxing these rules substantially is safe.
The following needs to be taken into consideration:
Are less trusted users allowed to create or modify files in Jenkins workspaces?
Jenkins builds pull requests sent by untrusted users, or employ a security model that limits trust in users allowed to configure one or more jobs, this also affects in what way the CSP rule set should be relaxed: Anything allowed there could be abused by users with the ability to change files in workspaces or archived artifacts.
Are some agents not fully trusted?
Even when
Agent To Controller Access
is used to limit what agents can do on the
controller node, the entire build directory on the controller node is writable by agents, with the exception of the build.xml file itself.
Therefore any file stored in a build directory and served by Jenkins should be considered potentially unsafe.
The CSP header sent by Jenkins can be modified by
setting the Java system property
hudson.model.DirectoryBrowserSupport.CSP
:
If its value is the
empty string
, e.g.
java -Dhudson.model.DirectoryBrowserSupport.CSP= -jar jenkins.war
then the header will not be sent at all.
Any other value will be used as the header value, e.g.
java -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-same-origin; default-src 'self';" -jar jenkins.war
.
See
content-security-policy.com
for a reference on this header and its possible values.
Changes to the system property will be effective immediately, so it’s possible to set this system property temporarily via the
Script Console
, allowing you to experiment with different values:
Set a custom value for the header:
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-same-origin; default-src 'self';")
Unset the header:
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "")
Set the header to the default:
System.clearProperty("hudson.model.DirectoryBrowserSupport.CSP")
Find out the current header value:
System.getProperty("hudson.model.DirectoryBrowserSupport.CSP")
How to interpret the output
:
Maven Integration Plugin has a feature that allows browsing generated Maven documentation sites (e.g.
site:site
) in Jenkins.
When using this feature, it may be necessary to relax the CSP rule set to allow this to work.
In limited testing, it was necessary to at least allow
style-src 'unsafe-inline'
.
Depending on the site’s content, more relaxed rules may be necessary.
sandbox allow-same-origin; default-src 'none'; img-src 'self'; style-src 'self' 'unsafe-inline';
The Javadoc Plugin makes Javadoc available for browsing in Jenkins.
The default rule set does not allow use of frames in pages served by Jenkins.
To make this work again, the directives
frame-src 'self'
and
child-src 'self'
must be added to the CSP header.
It appears Safari also requires the
sandbox
directive to be removed.
sandbox allow-same-origin; default-src 'none'; img-src 'self'; style-src 'self'; child-src 'self'; frame-src 'self';
To see the
ALL CLASSES
link when browsing Javadoc without frames,
script-src 'unsafe-inline'
must also be added to the CSP header.
From version 1.10 on, the HTML Publisher Plugin is compatible with Content Security Policy.
Before that, it executed inline JavaScript in a file served by
DirectoryBrowserSupport
to set up the frame wrapper around the published files and would fail unless
script-src 'unsafe-inline'
was allowed, which is a possible security issue.
If the published HTML files require JavaScript or other dynamic features prohibited by Content Security Policy to work properly, the
Content-Security-Policy
header will need to be adjusted accordingly.
This applies to all versions of HTML Publisher Plugin.
