Jenkins Content Security Policy
I am confused about Jenkins content security policy.
I know these sites:
I have a html page rendered via Jenkins Clover plugin. This html page uses inline styling like:
<div class='greenbar' style='width:58px'>
The div element renders a progress bar. Using Jenkins default CSP configuration results in the following output: Progressbar_FAIL
As a result, I want to look like this: Progressbar_WORKS
I tried to soften the CSP rules by adding different combinations of parameters (script-src, style-src) with different levels (self, unsafe-inline, ..), but nothing seems to work.
So my questions now:
- Where should I put my CSP configuration?
- Can inline styles be used?
- Where should the styles be located? My css-styles tables are located locally on Jenkins server.
- What's the best way to get inline styling and CSP rules "satisfied".
Refresh
1. Try it:
-Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'
in jenkins.xml file. Then the following error occurs:
Refuses to apply inline style because it violates the following Content Security Policy Directive: "default-src" self. Either the keyword is "unsafe-inline", hash ("sha256-"), or "nonce" ('nonce -...' ) is required to enable inline execution Note also that 'style-src' is not explicitly set, so 'default-src' is used as a fallback.
2. Try it
-Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'; style-src 'self'
on jenkins.xml file. Then the following error occurs:
Refuses to apply inline style because it violates the following Content Security Policy: "style-src" self ". Either the keyword" unsafe-inline ", hash ('sha256-'), or nonce ('nonce -...') required to enable inline execution
I understand that this attempt cannot solve my problem because default-src includes style-src
3. Try it
-Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'; style-src 'unsafe-inline'
in jenkins.xml file. Then the following error occurs:
Denied to load stylesheet s: //jenkins/andsomedir/stylesheet.css [its https: // ... not allowed to post more than two links :(] because it violates the following content security policy directive: "style-src" unsafe-inline ".
source to share
While experimenting, I recommend using the Script console to dynamically change the CSP setting, as described on the Content Security Policy Configuration page . (There's another note on the Jenkins wiki page that indicates that you may need to force a page reload to see the new settings.)
To use both inline styles and local stylesheets, you need to add both self and unsafe-inline:
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; style-src 'self' 'unsafe-inline';")
Depending on how the progress bar is manipulating, you may need to configure "script -src" in the same way.
Once you find the setting that works, you can customize the Jenkins Script run to add the CSP parameter definition.
source to share
Just to make it clear that this CSP property resides on Jenkins.
If you are using Jenkins on Ubuntu :
-
$ vim /etc/default/jenkins
- Find the line with
JAVA_ARGS
and add the CSP policy as follows:JAVA_ARGS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src data:;\""
If you are using Jenkins on CentOS :
-
$ vim /etc/sysconfig/jenkins
- Find the line with
JENKINS_JAVA_OPTIONS
and add the CSP policy as follows:JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src data:;\""
Save the file and restart Jenkins.
$ sudo service jenkins restart
or in your browserhttp://localhost:8080/safeRestart
source to share
In trying to share my treatments, I always follow one of them. However, you need to pay attention to your security restrictions, as these fixes would be potentially insecure.
- Interim fix:
Go to Jenkins console and apply the following commands depending on the CSP policy relaxation you want.
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts; default-src 'self'; style-src 'self' 'unsafe-inline'; script-src * 'unsafe-inline';")
This workaround is for temporary tests or a development environment.
If you want to change it permanently, add this to your java command when you start your application:
-Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-scripts; default-src 'self'; style-src 'self' 'unsafe-inline';"
Finally, I highly recommend that you read the following articles:
Jenkins official documentation https://wiki.jenkins.io/display/JENKINS/Configuring+Content+Security+Policy
Workarounds for reset CSP rules temporarily or permanently: https://www.cyotek.com/blog/adjusting-the-jenkins-content-security-policy
source to share
To add more to @ Kirill's answer ...
If jenkins is deployed in container tomcat
then set environment value CATALINA_OPTS
to setenv.sh file
(present in ${CATALINA_BASE}/bin
Folder) as below: -
export CATALINA_OPTS="-Xmx2048m -Xms2048m -XX:MaxNewSize=768m -XX:-HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=${CATALINA_BASE}/logs/java.hprof -XX:ParallelGCThreads=2 -XX:-UseConcMarkSweepGC -Dcom.sun.management.jmxremote -Dhudson.model.DirectoryBrowserSupport.CSP=\"\"
or
export CATALINA_OPTS="-Xmx2048m -Xms2048m -XX:MaxNewSize=768m -XX:-HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/software/jenkins/tomcat_jenkins/logs/java.hprof -XX:ParallelGCThreads=2 -XX:-UseConcMarkSweepGC -Dcom.sun.management.jmxremote -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-scripts; default-src 'self'; script-src *; 'unsafe-eval'; img-src *; style-src *; 'unsafe-inline'; font-src *;\
Restart after changing the above file tomcat
. It worked like a charm for me. Hope this helps :)
Note. - CSP is only applicable for plugins like HTML publisher, maven plugin. It didn't work for html email file.
source to share
I had a similar problem too. The below solution works for me.
java -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-scripts allow-popups allow-popups-to-escape-sandbox; style-src 'unsafe-inline' *;" -Dsvnkit.http.sslProtocols=TLSv1 -jar C:/server/Jenkins.war --httpPort=8280
source to share
Below properties helped me. The following properties allow all external servers.
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';")
source to share