I have a Jenkins server that refuses to properly open some AngularJS based reports and returns the following error in console:
Refused to load the font 'http://host:8080/job/JobName%20Automated%20Functional%20Tests%20-%2…A-INF/resources/webjars/Semantic-UI/0.19.0/packaged/fonts/basic.icons.woff' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.
The solution was not so hard to find but I fail to apply it. So based on numerous other answers he on SO:
Jenkins Content Security Policy
Refused to apply inline style because it violates the following Content Security Policy directive
I need to relax the CSP settings to allow that content. However I am not sure where to apply it. Are these CSP settings configured per page or per server? My thinking is that in case of Jenkins the policy should be set to the underlying server that runs Jenkins? In such case I should be able to set a policy from command line when I start Jenkins? So something like this?
C:.jenkins>java -Dhudson.model.DirectoryBrowserSupport.CSP="script-src 'self' 'unsafe-eval'; object-src 'self'" -jar jenkins.war
but that didn't solve my problem. So I just want to established whether my method of setting the policy is wrong or the actual policy I am setting is incorrect?
