Cucumber Reports Plugin disables Content-Security-Policy for archived and workspace files

Article ID:224779247
1 minute readKnowledge base

Issue

  • As part of the Jenkins Security Advisory 2016-07-27, Jenkins 1.641 and 1.625.3 and CloudBees Jenkins Enterprise 1.625.3.1 and 1.609.15.1 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using DirectoryBrowserSupport (SECURITY-95)

The Cucumber Reports Plugin disabled this XSS protection until Jenkins was restarted whenever a Cucumber Report was viewed by any user to work around the Content-Security-Policy limitations.

Environment

Resolution

Users of Cucumber Reports Plugin should update to version 2.6.0 or newer.