Artifact download links not working inside an HTML page artifact

I have a Jenkins job which produces an HTML file as an artifact. On the Jenkins job page, I can open this page fine. This page contains links to other artifacts, either to the same Jenkins server or to another Hudson server working on a different port.

The problem is that when left-clicking on the link nothing happens, no download is started for .exe, .zip or .tar.gz files (only .txt files are displayed as expected). The same thing used to work without problems in the Hudson server, we are just trying to migrate it over to Jenkins. Basically the same links (just relative, not full URL-s) work fine on the individual job pages in the same Jenkins.

The download is only started when I right-click and select “Save link as…” or “Open the link in new tab”. Also, if I save the original page in a disk .html file, open this file in the browser from the disk and click the links, everything works as expected.

Any ideas? The behavior is consistent across browsers, so seems to have something to do with the Jenkins server.

Jenkins setup:

Jenkins: 2.449
OS: Linux - 4.12.14-lp151.28.91-default
Java: 11.0.9 - Oracle Corporation (OpenJDK 64-Bit Server VM)
---
ace-editor:1.1
analysis-model-api:12.1.0
ant:497.v94e7d9fffa_b_9
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
aws-java-sdk-minimal:1.12.633-430.vf9a_e567a_244f
bootstrap4-api:4.6.0-6
bootstrap5-api:5.3.3-1
bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9
branch-api:2.1152.v6f101e97dd77
build-timeout:1.32
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.0.2
cloudbees-folder:6.858.v898218f3609d
cobertura:1.17
code-coverage-api:4.99.0
command-launcher:107.v773860566e2e
commons-lang3-api:3.13.0-62.v7d18e55f51e2
commons-text-api:1.11.0-95.v22a_d30ee5d36
copyartifact:722.v0662a_9b_e22a_c
coverage:1.13.0
credentials:1337.v60b_d7b_c7b_c9f
credentials-binding:657.v2b_19db_7d6e6d
data-tables-api:2.0.1-1
display-url-api:2.200.vb_9327d658781
durable-task:550.v0930093c4b_a_6
echarts-api:5.5.0-1
email-ext:2.105
font-awesome-api:6.5.1-3
forensics-api:2.4.0
git:5.2.1
git-client:4.7.0
git-parameter:0.9.19
git-server:114.v068a_c7cc2574
github:1.38.0
github-api:1.318-461.v7a_c09c9fa_d63
github-branch-source:1772.va_69eda_d018d4
gradle:2.10
greenballs:1.15.1
gson-api:2.10.1-15.v0d99f670e0a_7
handlebars:3.0.8
instance-identity:185.v303dc7c645f9
ionicons-api:56.v1b_1c8c49374e
jackson2-api:2.16.2-378.v7e79818f53ce
jakarta-activation-api:2.1.3-1
jakarta-mail-api:2.1.3-1
javadoc:243.vb_b_503b_b_45537
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-9
jaxb:2.3.9-1
jdk-tool:73.vddf737284550
jjwt-api:0.11.5-77.v646c772fddb_0
jnr-posix-api:3.1.19-1
joda-time-api:2.12.7-29.v5a_b_e3a_82269a_
jquery:1.12.4-1
jquery3-api:3.7.1-2
jsch:0.2.16-86.v42e010d9484b_
json-api:20240303-41.v94e11e6de726
json-path-api:2.9.0-33.v2527142f2e1d
junit:1259.v65ffcef24a_88
ldap:711.vb_d1a_491714dc
locale:431.v3435fa_8f8445
lockable-resources:1243.v346d600eea_24
mailer:470.vc91f60c5d8e2
mapdb-api:1.0.9-28.vf251ce40855d
material-theme:0.5.2-rc100.6121925fe229
matrix-auth:3.2.2
matrix-project:822.824.v14451b_c0fd42
maven-plugin:3.23
mina-sshd-api-common:2.12.0-90.v9f7fb_9fa_3d3b_
mina-sshd-api-core:2.12.0-90.v9f7fb_9fa_3d3b_
momentjs:1.1.1
okhttp-api:4.11.0-172.vda_da_1feeb_c6e
pam-auth:1.10
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-github-lib:42.v0739460cda_c4
pipeline-graph-analysis:216.vfd8b_ece330ca_
pipeline-groovy-lib:704.vc58b_8890a_384
pipeline-input-step:477.v339683a_8d55e
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2175.v76a_fff0a_2618
pipeline-model-definition:2.2175.v76a_fff0a_2618
pipeline-model-extensions:2.2175.v76a_fff0a_2618
pipeline-rest-api:2.34
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2175.v76a_fff0a_2618
pipeline-stage-view:2.34
pipeline-utility-steps:2.16.2
plain-credentials:179.vc5cb_98f6db_38
plugin-util-api:4.1.0
popper-api:1.16.1-3
popper2-api:2.11.6-4
prism-api:1.29.0-13
s3:466.vf5b_3db_8e3eb_2
scm-api:683.vb_16722fb_b_80b_
script-security:1326.vdb_c154de8669
simple-theme-plugin:176.v39740c03a_a_f5
snakeyaml-api:2.2-111.vc6598e30cc65
solarized-theme:0.1
ssh-agent:346.vda_a_c4f2c8e50
ssh-credentials:322.v124df57ed808
ssh-slaves:2.948.vb_8050d697fec
sshd:3.322.v159e91f6a_550
structs:337.v1b_04ea_4df7c8
subversion:2.17.3
theme-manager:215.vc1ff18d67920
timestamper:1.26
token-macro:400.v35420b_922dcb_
trilead-api:2.141.v284120fd0c46
variant:60.v7290fc0eb_b_cd
warnings-ng:11.2.0
workflow-aggregator:596.v8c21c963d92d
workflow-api:1291.v51fd2a_625da_7
workflow-basic-steps:1049.v257a_e6b_30fb_d
workflow-cps:3883.vb_3ff2a_e3eea_f
workflow-cps-global-lib:612.v55f2f80781ef
workflow-durable-task-step:1331.vc8c2fed35334
workflow-job:1385.vb_58b_86ea_fff1
workflow-multibranch:773.vc4fe1378f1d5
workflow-scm-step:415.v434365564324
workflow-step-api:657.v03b_e8115821b_
workflow-support:865.v43e78cc44e0d

Answering myself again. This is related to Content-Security-Policy thing. For getting the download links working one needs to add ‘sandbox allow-downloads’. So now my jenkins configuration settings, as seen by

sudo systemctl edit jenkins

are the following (these include the options needed for suppressing the dreaded workspace wipeout, and getting the XML files automatically rendered by specified XSLT files:

[Service]
Environment="JENKINS_PORT=8081"
Environment="JAVA_OPTS=-Djava.awt.headless=true -Dhudson.model.WorkspaceCleanupThread.disabled=true -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-same-origin allow-downloads; default-src 'self';\""