Content-Security-Policy protection for user content disabled by Jenkins ScreenRecorder Plugin

Jenkins sets the Content-Security-Policy header to static files served by Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified.

ScreenRecorder Plugin 0.7 and earlier programmatically updates the Java system property allowing administrators to customize the Content-Security-Policy header for static files served by Jenkins to include media-src: 'self'. On a Jenkins instance with default configuration, this effectively disables all other directives in the default rule set, including script-src. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.

Jenkins instances with Resource Root URL configured are unaffected.