- As part of the Jenkins Security Advisory 2016-07-27, Jenkins 1.641 and 1.625.3 and CloudBees Jenkins Enterprise 1.625.3.1 and 1.609.15.1 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using DirectoryBrowserSupport (SECURITY-95)
The Cucumber Reports Plugin disabled this XSS protection until Jenkins was restarted whenever a Cucumber Report was viewed by any user to work around the Content-Security-Policy limitations.
- Cloudbees Jenkins Enterprise
- Cucumber Reports Plugin < 2.60
Users of Cucumber Reports Plugin should update to version 2.6.0 or newer.