The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header.
Can setting Jenkins Content Security Policy by Run the Groovy script at at http://jenkinsServer:8080/script( can open the script on manage page).
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP","sandbox allow-scripts; default-src 'none';script-src 'unsafe-inline' http://code.jquery.com/jquery-2.1.0.min.js; img-src dohko.hpeswlab.net 'self' data: ; style-src 'unsafe-inline' 'self';");
For more information about CSP, Please refer to https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy & https://content-security-policy.com/ .