Issue

I would like to serve resources from Jenkins.
For instance, I would like to publish an HTML report.
Because of the strict Content Security Policy set by Jenkins, I cannot load resources from other domains.
I see a administrative monitor stating "The default Content-Security-Policy is currently overridden using the hudson.model.DirectoryBrowserSupport.CSP system property, which is a potential security issue when browsing untrusted files. As an alternative, you can set up a Resource Root URL that Jenkins will use to serve some static files without adding Content-Security-Policy headers.
".

Environment

CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller >= 2.204
CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center >= 2.204
CloudBees CI (CloudBees Core) on traditional platforms - Client controller >= 2.204
CloudBees CI (CloudBees Core) on traditional platforms - Operations Center >= 2.204
CloudBees Jenkins Enterprise - Managed controller >= 2.204
CloudBees Jenkins Enterprise - Operations Center >= 2.204
CloudBees Jenkins Platform - Client controller >= 2.204
CloudBees Jenkins Platform - Operations Center >= 2.204
CloudBees Jenkins Distribution >= 2.204
Jenkins LTS >= 2.204

Resolution

Up until Jenkins 2.204 (weekly 2.200), the only way to working around the strict content policy was to relax it.
Please refer to What is Content Security Policy and how does it impact Jenkins? for more information on the topic.

Since Jenkins 2.204, a new feature allows to serve resource from another domain without modifying the Content Security Policy.
For that, you will need to do some configuration.

Configuring the Resource Domain and a new route

On non CloudBees Core on Modern Platforms instances, this means:

configuring a new DNS route with a CNAME (alias) for your resource domain to your current Jenkins domain.

On CloudBees Core on Modern Platforms instances, this means:

configuring a new DNS route with a CNAME (alias) for your resource domain to your current Jenkins domain.
customizing the configuration of the ingress of your master to point the resource url to the master service.
You can do so by opening the master configuration from <cjoc_url>/job/<master_name>/configure, scroll down to the Advanced Configuration section and add a new ingress route looking like:

---
apiVersion: "extensions/v1beta1"
kind: "Ingress"
spec:
  rules:
  - host: "<resource_host>"
    http:
      paths:
      - backend:
          serviceName: "${name}"
          servicePort: 80
        path: "${path}"

Configuring the master

Once the route and the DNS record are ready, you need to go to <master_url>/configure and scroll down to the Serve resource files from another domain section to input the resource url.
In case everything is successful, you should see something like the following:

Tested product/plugin versions

Jenkins 2.204.1

References

Configuring Content Security Policy

1 Comments

Date Votes

1

Jesse Glick March 23, 2021 19:13

The content for CloudBees CI on modern platforms is incorrect. You merely need to type in the Resource host field in Configure Master Provisioning in operations center.

Comment actions Permalink

Please sign in to leave a comment.