jenkinsci · daniel-beck · Nov 25, 2025 · Nov 5, 2025 · Nov 5, 2025 · Nov 10, 2025
diff --git a/core/src/main/java/hudson/markup/MarkupFormatter.java b/core/src/main/java/hudson/markup/MarkupFormatter.java
@@ -35,11 +35,8 @@
 import java.io.Writer;
 import java.util.Collections;
 import java.util.Map;
-import java.util.function.Function;
 import java.util.logging.Level;
 import java.util.logging.Logger;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
 import jenkins.util.SystemProperties;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
@@ -133,7 +130,7 @@ public HttpResponse doPreviewDescription(@QueryParameter String text) throws IOE
         translate(text, w);
         Map<String, String> extraHeaders = Collections.emptyMap();
         if (PREVIEWS_SET_CSP) {
-            extraHeaders = Stream.of("Content-Security-Policy", "X-WebKit-CSP", "X-Content-Security-Policy").collect(Collectors.toMap(Function.identity(), v -> "default-src 'none';"));
+            extraHeaders = Map.of("Content-Security-Policy", "default-src 'none';");
         }
         return html(200, w.toString(), extraHeaders);
     }

diff --git a/core/src/main/java/hudson/model/DirectoryBrowserSupport.java b/core/src/main/java/hudson/model/DirectoryBrowserSupport.java
@@ -64,6 +64,7 @@
 import jenkins.security.MasterToSlaveCallable;
 import jenkins.security.ResourceDomainConfiguration;
 import jenkins.security.ResourceDomainRootAction;
+import jenkins.security.csp.CspHeader;
 import jenkins.util.SystemProperties;
 import jenkins.util.VirtualFile;
 import org.apache.commons.io.IOUtils;
@@ -398,13 +399,14 @@ private void serveFile(StaplerRequest2 req, StaplerResponse2 rsp, VirtualFile ro
                 rsp.sendRedirect(302, ResourceDomainRootAction.get().getRedirectUrl(resourceToken, req.getRestOfPath()));
             } else {
                 if (!ResourceDomainConfiguration.isResourceRequest(req)) {
-                    // if we're serving this from the main domain, set CSP headers
+                    // If we're serving this from the main domain, set CSP headers. These override the default CSP headers.
                     String csp = SystemProperties.getString(CSP_PROPERTY_NAME, DEFAULT_CSP_VALUE);
                     if (!csp.trim().isEmpty()) {
                         // allow users to prevent sending this header by setting empty system property
-                        for (String header : new String[]{"Content-Security-Policy", "X-WebKit-CSP", "X-Content-Security-Policy"}) {
-                            rsp.setHeader(header, csp);
-                        }
+                        rsp.setHeader(CspHeader.ContentSecurityPolicy.getHeaderName(), csp);
+                    } else {
+                        // Clear the header value if configured by the user.
+                        rsp.setHeader(CspHeader.ContentSecurityPolicy.getHeaderName(), null);
                     }
                 }
                 InputStream in;

diff --git a/core/src/main/java/hudson/util/FormFieldValidator.java b/core/src/main/java/hudson/util/FormFieldValidator.java
@@ -231,9 +231,7 @@
         } else {
             response.setContentType("text/html;charset=UTF-8");
             if (APPLY_CONTENT_SECURITY_POLICY_HEADERS) {
-                for (String header : new String[]{"Content-Security-Policy", "X-WebKit-CSP", "X-Content-Security-Policy"}) {
-                    response.setHeader(header, "sandbox; default-src 'none';");
-                }
+                response.setHeader("Content-Security-Policy", "sandbox; default-src 'none';");
             }
             response.getWriter().print("<div class=" + cssClass + ">" +
                     message + "</div>");

diff --git a/core/src/main/java/hudson/util/FormValidation.java b/core/src/main/java/hudson/util/FormValidation.java
@@ -612,9 +612,7 @@ public void generateResponse(StaplerRequest2 req, StaplerResponse2 rsp, Object n
     protected void respond(StaplerResponse2 rsp, String html) throws IOException, ServletException {
         rsp.setContentType("text/html;charset=UTF-8");
         if (APPLY_CONTENT_SECURITY_POLICY_HEADERS) {
-            for (String header : new String[]{"Content-Security-Policy", "X-WebKit-CSP", "X-Content-Security-Policy"}) {
-                rsp.setHeader(header, "sandbox; default-src 'none';");
-            }
+            rsp.setHeader("Content-Security-Policy", "sandbox; default-src 'none';");
         }
         rsp.getWriter().print(html);
     }

diff --git a/core/src/main/java/jenkins/security/csp/BaseContributor.java b/core/src/main/java/jenkins/security/csp/BaseContributor.java
@@ -0,0 +1,48 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2025, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package jenkins.security.csp;
+
+import static jenkins.security.csp.Directive.REPORT_SAMPLE;
+import static jenkins.security.csp.Directive.SELF;
+
+import hudson.Extension;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+/**
+ * Add a minimal set of CSP directives not expected to be removed later.
+ */
+@Extension(ordinal = Integer.MAX_VALUE)
+@Restricted(NoExternalUse.class)
+public final class BaseContributor implements Contributor {
+    @Override
+    public void apply(CspBuilder cspBuilder) {
+        cspBuilder
+                .initialize(FetchDirective.DEFAULT_SRC, SELF)
+                .initialize(FetchDirective.STYLE_SRC, SELF, REPORT_SAMPLE)
+                .initialize(FetchDirective.IMG_SRC, SELF)
+                .initialize(FetchDirective.SCRIPT_SRC, SELF, REPORT_SAMPLE);
+    }
+}
diff --git a/core/src/main/java/jenkins/security/csp/CompatibleContributor.java b/core/src/main/java/jenkins/security/csp/CompatibleContributor.java
@@ -0,0 +1,53 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2025, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package jenkins.security.csp;
+
+import static jenkins.security.csp.Directive.DATA;
+import static jenkins.security.csp.Directive.IMG_SRC;
+import static jenkins.security.csp.Directive.SCRIPT_SRC;
+import static jenkins.security.csp.Directive.STYLE_SRC;
+import static jenkins.security.csp.Directive.UNSAFE_INLINE;
+
+import hudson.Extension;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+/**
+ * Add the CSP directives currently required for Jenkins to work properly.
+ * The long-term goal is for these directives to become unnecessary.
+ * Any for which we determine with high confidence they can never be fixed
+ * should be moved into {@link jenkins.security.csp.BaseContributor} instead.
+ */
+@Extension(ordinal = Integer.MAX_VALUE / 2.0)
+@Restricted(NoExternalUse.class)
+public final class CompatibleContributor implements Contributor {
+    @Override
+    public void apply(CspBuilder cspBuilder) {
+        cspBuilder
+                .add(STYLE_SRC, UNSAFE_INLINE) // Infeasible for now given inline styles in SVGs
+                .add(IMG_SRC, DATA) // TODO https://github.com/jenkinsci/csp-plugin/issues/60
+                .add(SCRIPT_SRC, "usage.jenkins.io"); // TODO https://issues.jenkins.io/browse/JENKINS-76268
+    }
+}
diff --git a/core/src/main/java/jenkins/security/csp/Contributor.java b/core/src/main/java/jenkins/security/csp/Contributor.java
@@ -0,0 +1,50 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2025, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package jenkins.security.csp;
+
+import hudson.ExtensionList;
+import hudson.ExtensionPoint;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.Beta;
+
+/**
+ * Contribute to the Content-Security-Policy rules.
+ */
+@Restricted(Beta.class)
+public interface Contributor extends ExtensionPoint {
-public interface Contributor extends ExtensionPoint {
+public interface CspContributor extends ExtensionPoint {
-public interface Contributor extends ExtensionPoint {
+public interface CspContributor extends ExtensionPoint {
+
+    /**
+     * Contribute to the builder's rules by adding to or
+     * removing from the provided {@link jenkins.security.csp.CspBuilder}.
+     *
+     * @param cspBuilder the builder
+     */
+    default void apply(CspBuilder cspBuilder) {
+    }
+
+    static ExtensionList<Contributor> all() {
+        return ExtensionList.lookup(Contributor.class);
+    }
+}