Jenkins sets the Content-Security-Policy
header to static files served by Jenkins (specifically DirectoryBrowserSupport
), such as workspaces, /userContent
, or archived artifacts.
ZAP Pipeline Plugin prior to 1.10 globally disables the Content-Security-Policy
header for static files served by Jenkins. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.
Jenkins instances with Resource Root URL configured are largely unaffected. A possible exception are file parameter downloads. The behavior of those depends on the specific version of Jenkins:
Content-Security-Policy
header.