Jenkins Content Security Policy

Question

I'm confused about Jenkins Content Security Policy.

I know these sites:

• Configuring Content Security Policy
• Content Security Policy Reference

I have a html page shown via Jenkins Clover Plugin. This html page uses inline style, e.g.:

<div class='greenbar' style='width:58px'>

The div-element visualizes a progressbar. Using the default Jenkins CSP configuration leads to the following result: Progressbar_FAIL

The result i want to have looks like this: Progressbar_WORKS

I tried to relax the CSP rules, adding different combinations of parameters (script-src, style-src) with different levels (self, unsafe-inline,..) but nothing works.

So my questions for now:

1. Where do i have to specify the CSP configuration?
2. Is it possible to use inline styles?
3. Where should the styles be located? My css-stylesheets are located local on the Jenkins Server.
4. What is the best way to get inline style and CSP rules "satisfied"

Update

1. Try: -Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self' in the jenkins.xml file. Then the following error occurs:

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

2. Try -Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'; style-src 'self' in the jenkins.xml file. Then the following error occurs:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-'), or a nonce ('nonce-...') is required to enable inline execution

I understand that this try can not solve my problem, because default-src includes style-src

3. Try -Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'; style-src 'unsafe-inline' in the jenkins.xml file. Then the following error occurs:

Refused to load the stylesheet s://jenkins/andsomedir/stylesheet.css [its https://... not allowed to post more than two links :(] because it violates the following Content Security Policy directive: "style-src 'unsafe-inline'".

Answer 1

While experimenting, I recommend using the Script Console to adjust the CSP parameter dynamically as described on the Configuring Content Security Policy page. (There's another note in the Jenkins wiki page that indicates you may need to Force Reload the page to see the new settings.)

In order to use both inline styles and local stylesheets, you need to add both self and unsafe-inline:

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; style-src 'self' 'unsafe-inline';")

Depending on how the progressbar is manipulated, you may need to adjust 'script-src' in the same way as well.

Once you find a setting that works, you can adjust the Jenkins startup script to add the CSP parameter definition.

Answer 2

Just to be clear about setting this CSP property permanently on Jenkins.

If you are running Jenkins on Ubuntu:

1. $ vim /etc/default/jenkins
2. Find the line with JAVA_ARGS and add the CSP policy like this: JAVA_ARGS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src data:;\""

If you are running Jenkins on CentOS:

1. $ vim /etc/sysconfig/jenkins
2. Find the line with JENKINS_JAVA_OPTIONS and add the CSP policy like this: JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src data:;\""

Save the file and restart Jenkins. $ sudo service jenkins restart or in your browser http://localhost:8080/safeRestart

Answer 3

Below properties worked for me. The following properties allow all the external servers.

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';")

Answer 4

To add more to the @Kirill's answer ...

If jenkins is deployed in tomcat container, set the CATALINA_OPTS environment value in setenv.sh file ( Present in ${CATALINA_BASE}/bin Folder ) as highlighted below:-

export CATALINA_OPTS="-Xmx2048m -Xms2048m -XX:MaxNewSize=768m -XX:-HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=${CATALINA_BASE}/logs/java.hprof -XX:ParallelGCThreads=2 -XX:-UseConcMarkSweepGC -Dcom.sun.management.jmxremote -Dhudson.model.DirectoryBrowserSupport.CSP=\"\" 

or

export CATALINA_OPTS="-Xmx2048m -Xms2048m -XX:MaxNewSize=768m -XX:-HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/software/jenkins/tomcat_jenkins/logs/java.hprof -XX:ParallelGCThreads=2 -XX:-UseConcMarkSweepGC -Dcom.sun.management.jmxremote -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-scripts; default-src 'self'; script-src *; 'unsafe-eval'; img-src *; style-src *; 'unsafe-inline'; font-src *;\

After Changing the above file, restart the tomcat. It worked like charm to me. Hope it helps :)

Note:- CSP is only applicable for the plugins like HTML publisher, maven plugin . It didn't work for email html file.

Answer 5

Trying to share my procedures I always follow one of theseworkarounds. However you need to pay attention to your security constraints since applying these fixes would be potentially insecure.

1. Temporal fix:

Go to Jenkins console and applythe following commands depending on the kind of CSP policies relaxation that you want.

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts; default-src 'self'; style-src 'self' 'unsafe-inline'; script-src * 'unsafe-inline';")

This workaround is aimed for temporal tests or dev environment.

If you want to change it permanently add this to the java command when you run the application:

-Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-scripts; default-src 'self'; style-src 'self' 'unsafe-inline';"

Finally I strongly suggest you to read these articles:

Official Jenkins documentation https://wiki.jenkins.io/display/JENKINS/Configuring+Content+Security+Policy

Workarounds to reset CSP rules temporary or permanently: https://www.cyotek.com/blog/adjusting-the-jenkins-content-security-policy

Answer 6

I too had a similar issue. The below solution worked for me.

java -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-scripts allow-popups allow-popups-to-escape-sandbox; style-src 'unsafe-inline' *;" -Dsvnkit.http.sslProtocols=TLSv1 -jar C:/server/Jenkins.war --httpPort=8280

Answer 7

In this example I set CSP="default-src 'self'; img-src 'self'; style-src 'self';", which was enough for my test report to be rendered correctly, but you can specify your own policy.

Jenkins CSP override for systemd

cat <<-'EOF' > /etc/systemd/system/jenkins.service.d/override.conf
[Service]
Environment="JAVA_OPTS=-Djava.awt.headless=true \
    -Dhudson.model.DirectoryBrowserSupport.CSP=\"default-src 'self'; img-src 'self'; style-src 'self';\""
EOF

# Restart Jenkins
systemctl daemon-reload
systemctl restart jenkins

Jenkins CSP override for system V

# Use correct config file:
# - Red Hat: /etc/sysconfig/jenkins
# - Debian: /etc/default/jenkins
cat <<-'EOF' >> /etc/sysconfig/jenkins
JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true \
    -Dhudson.model.DirectoryBrowserSupport.CSP=\"default-src 'self'; img-src 'self'; style-src 'self';\""

# Restart Jenkins
service jenkins restart