Jenkins uses js files, but how can i restrict from opening js files directly from browser

NagarajK · February 17, 2025, 6:24am

Hi,

Want to know how can i restrict js files loaded by jenkins application should restrict from accessing directly from outside jenkins application.

Thanks & regards,
Nagaraj katta

poddingue · February 17, 2025, 8:45am

Hello and welcome to this community, @NagarajK.

I’m not so sure I understand correctly your request, but to restrict JavaScript files loaded by the Jenkins application from being accessed directly from outside the Jenkins application, you can use Content Security Policy (CSP) headers.
CSP helps to control the resources that can be loaded and executed by the application.

Here are some steps to configure CSP in Jenkins:

Make sure that the Content Security Policy (CSP) plugin is installed in your Jenkins controller. You can install it from the Jenkins plugin manager.
Once the plugin is installed, you can configure the CSP headers to restrict access to JavaScript files. You can do this by adding the following configuration in the Jenkins system configuration:
- Go to Manage Jenkins → Security.
- Find the Content Security Policy section.
- Add the CSP directives to restrict JavaScript file access. For example:

default-src 'self';
script-src 'self';

This configuration should ensure that only scripts from the same origin (self) are allowed to be loaded and executed.

Save the configuration changes and restart Jenkins if necessary.

NagarajK · February 18, 2025, 5:06am

Thanks for the response.

As our CISO team doing application security and as part of this there are few .js files which are outdated(example yahoo-min.js) as they have requested to upgrade to latest version which i dont see anything to update.

So want to see these files are not allowed to open directly.
I will follow the above mentioned steps and see that sorts our requirement.

Thanks & Regards,
Nagaraj Katta

mawinter69 · February 18, 2025, 8:26am

In latest LTS (2.492.1) we have disabled the Yahoo UI libraries by default which would make the yahoo-min.js no longer being loaded by Jenkins itself. You would only need to reenable it if you use one of the few plugins that haven’t yet removed the usage of YUI.
It would not stop anyone from trying to load the yahoo libraries from Jenkins in their own website. But Jenkins provides these libraries via a variable url that changes each time you start Jenkins so trying to use it from there is not directly possible.

In Jenkins 2.493 and later YUI has been completely removed from Jenkins.

danielbeck · February 18, 2025, 9:47am

In case the motivation is the CVEs published for Yahoo UI, they need to read the CVE descriptions. Jenkins is unaffected.

Topic		Replies	Views
Jenkins Content Security Policy Using Jenkins question	1	27	November 20, 2024
HTML/CSS/JS Rendering in Job Build Summary pages Using Jenkins	0	755	June 12, 2023
Git Plugin: How can I access files from the repo Using Jenkins	1	272	April 11, 2024
Can we restrict the access to the "Manage Plugins" section in Manage Jenkins to certain people? Using Jenkins question	2	785	October 27, 2021
Jenkins Resource root URL - serves only static file on the domain Ask a question question	0	279	May 29, 2024

Jenkins uses js files, but how can i restrict from opening js files directly from browser

Related topics