Issue

• I would like to serve resources from Jenkins.
  For instance, I would like to publish an HTML report.
  Because of the strict Content Security Policy set by Jenkins, I cannot load resources from other domains.

• I see a administrative monitor stating "The default Content-Security-Policy is currently overridden using the hudson.model.DirectoryBrowserSupport.CSP system property, which is a potential security issue when browsing untrusted files. As an alternative, you can set up a Resource Root URL that Jenkins will use to serve some static files without adding Content-Security-Policy headers.
  ".

Environment

• CloudBees CI (CloudBees Core) on modern cloud platforms - Managed Master >= 2.204
• CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center >= 2.204
• CloudBees CI (CloudBees Core) on traditional platforms - Client Master >= 2.204
• CloudBees CI (CloudBees Core) on traditional platforms - Operations Center >= 2.204
• CloudBees Jenkins Enterprise - Managed Master >= 2.204
• CloudBees Jenkins Enterprise - Operations Center >= 2.204
• CloudBees Jenkins Platform - Client Master >= 2.204
• CloudBees Jenkins Platform - Operations Center >= 2.204
• CloudBees Jenkins Distribution >= 2.204
• Jenkins LTS >= 2.204

Resolution

Up until Jenkins 2.204 (weekly 2.200), the only way to working around the strict content policy was to relax it.
Please refer to What is Content Security Policy and how does it impact Jenkins? for more information on the topic.

Since Jenkins 2.204, a new feature allows to serve resource from another domain without modifying the Content Security Policy.
For that, you will need to do some configuration.

Configuring the Resource Domain and a new route

On non CloudBees Core on Modern Platforms instances, this means:

• configuring a new DNS route with a CNAME (alias) for your resource domain to your current Jenkins domain.

On CloudBees Core on Modern Platforms instances, this means:

• configuring a new DNS route with a CNAME (alias) for your resource domain to your current Jenkins domain.
• customizing the configuration of the ingress of your master to point the resource url to the master service.
  You can do so by opening the master configuration from <cjoc_url>/job/<master_name>/configure, scroll down to the Advanced Configuration section and add a new ingress route looking like:

---
apiVersion: "extensions/v1beta1"
kind: "Ingress"
spec:
  rules:
  - host: "<resource_host>"
    http:
      paths:
      - backend:
          serviceName: "${name}"
          servicePort: 80
        path: "${path}"

Configuring the master

Once the route and the DNS record are ready, you need to go to <master_url>/configure and scroll down to the Serve resource files from another domain section to input the resource url.
In case everything is successful, you should see something like the following:

Tested product/plugin versions

• Jenkins 2.204.1

References

• Configuring Content Security Policy