From 53b0ee1faf4098248d999a3f56a4a84badfc5817 Mon Sep 17 00:00:00 2001 From: labkey-tchad Date: Thu, 19 Dec 2024 13:37:36 -0800 Subject: [PATCH 1/2] Enable "enforce" CSP for dev deployments --- server/configs/application.properties | 41 ++++++++------------------- 1 file changed, 12 insertions(+), 29 deletions(-) diff --git a/server/configs/application.properties b/server/configs/application.properties index 8571c6500a..f6f67899ae 100644 --- a/server/configs/application.properties +++ b/server/configs/application.properties @@ -128,35 +128,18 @@ management.server.port=@@shutdownPort@@ ## Define one or both of 'csp.report' and 'csp.enforce' to enable Content Security Policy (CSP) headers ## Do not use these examples for any production environment without understanding the meaning of each directive! -## example usage 1 - very strict, disallows 'external' websites, disallows unsafe-inline, but only reports violations (does not enforce) - -#csp.report=\ -# default-src 'self';\ -# connect-src 'self' ${LABKEY.ALLOWED.CONNECTIONS} ;\ -# object-src 'none' ;\ -# style-src 'self' 'unsafe-inline' ;\ -# img-src 'self' data: ;\ -# font-src 'self' data: ;\ -# script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}';\ -# base-uri 'self' ;\ -# upgrade-insecure-requests ;\ -# frame-ancestors 'self' ;\ -# report-uri https://www.labkey.org/admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ; - -## example usage 2 - less strict but enforces directives, (NOTE: unsafe-inline is still required for many modules) - -#csp.enforce=\ -# default-src 'self' https: ;\ -# connect-src 'self' https: ${LABKEY.ALLOWED.CONNECTIONS};\ -# object-src 'none' ;\ -# style-src 'self' https: 'unsafe-inline' ;\ -# img-src 'self' data: ;\ -# font-src 'self' data: ;\ -# script-src 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}';\ -# base-uri 'self' ;\ -# upgrade-insecure-requests ;\ -# frame-ancestors 'self' ;\ -# report-uri https://www.labkey.org/admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ; +## Default CSP for dev deployments +#useLocalBuild#csp.enforce=\ +#useLocalBuild# default-src 'self' https: http: ;\ +#useLocalBuild# connect-src 'self' localhost:* ws: ${LABKEY.ALLOWED.CONNECTIONS} ;\ +#useLocalBuild# object-src 'none' ;\ +#useLocalBuild# style-src 'self' https: 'unsafe-inline' ;\ +#useLocalBuild# img-src 'self' https: data: ;\ +#useLocalBuild# font-src 'self' http: https: data: ;\ +#useLocalBuild# script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;\ +#useLocalBuild# base-uri 'self' ;\ +#useLocalBuild# frame-ancestors 'self' ;\ +#useLocalBuild# report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ; ## Default CSP for TeamCity and dev deployments csp.report=\ From c03b7e84f47e89f94a62cd4f0eadd0e87e4c2577 Mon Sep 17 00:00:00 2001 From: labkey-tchad Date: Thu, 19 Dec 2024 13:50:44 -0800 Subject: [PATCH 2/2] Update comments --- server/configs/application.properties | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/configs/application.properties b/server/configs/application.properties index f6f67899ae..6d2dc1e758 100644 --- a/server/configs/application.properties +++ b/server/configs/application.properties @@ -128,7 +128,7 @@ management.server.port=@@shutdownPort@@ ## Define one or both of 'csp.report' and 'csp.enforce' to enable Content Security Policy (CSP) headers ## Do not use these examples for any production environment without understanding the meaning of each directive! -## Default CSP for dev deployments +## Default enforce CSP for dev deployments #useLocalBuild#csp.enforce=\ #useLocalBuild# default-src 'self' https: http: ;\ #useLocalBuild# connect-src 'self' localhost:* ws: ${LABKEY.ALLOWED.CONNECTIONS} ;\ @@ -141,7 +141,7 @@ management.server.port=@@shutdownPort@@ #useLocalBuild# frame-ancestors 'self' ;\ #useLocalBuild# report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ; -## Default CSP for TeamCity and dev deployments +## Default report CSP for TeamCity and dev deployments csp.report=\ default-src 'self' https: http: ;\ connect-src 'self' localhost:* ws: ${LABKEY.ALLOWED.CONNECTIONS} ;\