By default Content Security Policy (CSP) in Jenkins does not allow Cucumber HTML reports to be shown correctly, with styles, embedded images and JS. To fix that one need to relax CSP rules.
In my case, Jenkins is hosted on Ubuntu, so config file is here: /etc/default/jenkins.
CSP settings should be passed via JAVA_ARGS. Just add the following next to your current JAVA_ARGS settings and then restart Jenkins.
JAVA_ARGS="$JAVA_ARGS -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-scripts; default-src 'unsafe-inline'; img-src *\""
To be fair, img-src * shouldn't be necessary, because obviously I'm hosting embedded images next to report itself.
But for some reason img-src 'self' didn't work for me. At least for Safari.
If you want to play with different settings without restarting Jenkins, you can do it via Groovy console. 1. Download jenkins-cli.jar `curl -O http://%jenkins_address%/jnlpJars/jenkins-cli.jar` 2. Login `java -jar jenkins-cli.jar -s http://%jenkins_address% login --username %jenkins_admin_username%` 3. Open the console `java -jar jenkins-cli.jar -s http://%jenkins_address%/ groovysh` 4. Check current settings `System.getProperty("hudson.model.DirectoryBrowserSupport.CSP")` 5. Set new settings `System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts; default-src 'unsafe-inline'; img-src *")` Although, after restart the settings will be dropped back to defaults.
More information: * [Jenkins Wiki](https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy) * [CSP Reference](https://content-security-policy.com) * [Stack Overflow](http://stackoverflow.com/questions/37618892/jenkins-content-security-policy)