Cucumber Reports Plugin disables Content-Security-Policy for archived and workspace files

Article ID:224779247
1 minute readKnowledge base

Issue

  • As part of the Jenkins Security Advisory 2016-07-27, Jenkins 1.641 and 1.625.3 and CloudBees Jenkins Enterprise 1.625.3.1 and 1.609.15.1 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using DirectoryBrowserSupport (SECURITY-95)

The Cucumber Reports Plugin disabled this XSS protection until Jenkins was restarted whenever a Cucumber Report was viewed by any user to work around the Content-Security-Policy limitations.

Environment

Resolution

Users of Cucumber Reports Plugin should update to version 2.6.0 or newer.

This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.