Issue
-
As part of the Jenkins Security Advisory 2016-07-27, Jenkins 1.641 and 1.625.3 and CloudBees Jenkins Enterprise 1.625.3.1 and 1.609.15.1 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using DirectoryBrowserSupport (SECURITY-95)
The Cucumber Reports Plugin disabled this XSS protection until Jenkins was restarted whenever a Cucumber Report was viewed by any user to work around the Content-Security-Policy limitations.
Environment
-
CloudBees Jenkins Enterprise
-
Cucumber Reports Plugin < 2.60
Resolution
Users of Cucumber Reports Plugin should update to version 2.6.0 or newer.