Jenkins sets the Content-Security-Policy header to static files served by Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified.
NeuVector Vulnerability Scanner Plugin 1.20 and earlier globally disables the Content-Security-Policy header for static files served by Jenkins whenever the ‘NeuVector Vulnerability Scanner’ build step is executed. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.
Jenkins instances with Resource Root URL configured are unaffected.