I support a Jenkins instance for my company and we are using the HTML Publisher plugin. One of our users has a scala test that publishes a report, but the report does not show CSS or JS. I looked online and it looks like I need to modify the CSP to allow CSS and JS. I'm looking at the page below to try and configure it. https://www.jenkins.io/doc/book/system-administration/security/configuring-content-security-policy/#ConfiguringContentSecurityPolicy-HTMLPublisherPlugin I can fix this temporarily by using
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-same-origin allow-scripts; default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';");
This looks like this would disable CSP entirely which would obviously make our Jenkins more vulnerable. So, I'm trying to understand how I would modify the header to allow the CSS and JS for the HTML Publisher plugin, without creating unnecessary vulnerabilities.
Any suggestions are appreciated. Thanks!