This plugin allows administrators to customize the Content Security Policy rules introduced in Jenkins 2.539. This allows relaxing the rules to get otherwise incompatible plugins to work without disabling protections entirely. Alternatively, administrators can also further restrict the rules if they’re willing to spend time fine-tuning them. A new view of received Content Security Policy reports makes it easy to understand how the current rules impact users.
|
Note
|
Before version 2.x, this plugin implemented standalone Content Security Policy enforcement. This is obsolete since Jenkins 2.539. Versions 1.x of this plugin should be updated or uninstalled when updating Jenkins to 2.539 or newer. |
Install this plugin to have basic reporting of Content Security Policy violations in Jenkins: A new link Content Security Policy Report on the Manage Jenkins page allows administrators to review reported policy violations.
Custom rules can be configured on the Configure Global Security configuration screen as part of the general Content Security Policy configuration. This is also where you can opt out of receiving Content Security Policy reports for anonymous users.
The following rules can be configured:
-
Allow additional fetch source allows adding additional allowed sources to a specific fetch directive. You can select from a list of common source expressions. Most commonly useful is probably the Domain specification option, which allows specifying an arbitrary domain.
-
Allow additional navigation source allows adding additional allowed sources to
form-actionorframe-ancestorsdirectives. You can select Self, which is only useful if the directive has been reset (see below), or Domain specification, which allows specifying an arbitrary domain. -
Reset directive allows resetting a specific directive. Barring any other rules applied later, the specified directive will not be included in the Content Security Policy header. For fetch directives (e.g.,
img-src), this means they will fall back to their parent directive (e.g.,default-src). If you check the Disable Inheritance box for a fetch directive, the rule will instead be set to'none', disallowing everything.
CSP plugin 2.x supports configuration via the Jenkins Configuration as Code (CasC) plugin. Sample configuration snippet:
security:
contentSecurityPolicy:
enforce: true
advanced:
- reporting:
ignoreAnonymousReports: true
- custom:
rules:
- allowFetch:
allow:
byDomain:
domain: "avatars.githubusercontent.com"
directive: "img-src"
- reset:
directive: "object-src"
disableInheritance: true
Further examples of configuration snippets can be found in the src/test/resources/io/jenkins/plugins/csp/ directory of the plugin source code.
All options in advanced are also effective while the UI configuration is hidden through the Java system property jenkins.security.csp.CspHeader.headerName, or in development mode.
Refer to our contribution guidelines.
Run as mvn hpi:run -Djenkins.security.csp.impl.DevelopmentHeaderDecider.DISABLED=true to disable the usually enforced CSP during development, making it configurable. Alternatively, jenkins.security.csp.impl.DevelopmentHeaderDecider.DISABLED = true can also be run in the script console.
Licensed under MIT, see LICENSE.