From 0bf34b5b474e3e9bed53319e3ecaa466ed03022e Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Tue, 13 May 2025 12:27:13 -0700 Subject: [PATCH 1/2] Conditionally add upgrade-secure-requests CSP directive --- server/configs/application.properties | 6 ++-- .../src/org/labkey/embedded/LabKeyServer.java | 30 ++++++++++--------- 2 files changed, 20 insertions(+), 16 deletions(-) diff --git a/server/configs/application.properties b/server/configs/application.properties index a616f0c450..9c5013539b 100644 --- a/server/configs/application.properties +++ b/server/configs/application.properties @@ -132,9 +132,10 @@ management.server.port=@@shutdownPort@@ #useLocalBuild# font-src 'self' data: ${FONT.SOURCES} ; /* Limit font source loading locations */\ #useLocalBuild# script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ; /* Limit scripts to those with nonces or transitive scripts */\ #useLocalBuild# base-uri 'self' ; /* Limit the base tags to only source from current server */\ +#useLocalBuild# ${UPGRADE.SECURE.REQUESTS} /* Conditionally add upgrade-secure-requests directive if HTTPS is required */\ #useLocalBuild# frame-ancestors 'self' ; /* Limit iframe content destinations (who can load this server's content into an iframe) */\ #useLocalBuild# frame-src 'self' ${FRAME.SOURCES} ; /* Limit iframe content sources (from what servers can this server's iframe content be loaded) */\ -#useLocalBuild# report-uri /admin-contentSecurityPolicyReport.api?cspVersion=e11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */ +#useLocalBuild# report-uri /admin-contentSecurityPolicyReport.api?cspVersion=e12&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the local server */ ## END OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT) ## START OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT) @@ -147,9 +148,10 @@ csp.report=\ font-src 'self' data: ${FONT.SOURCES} ; /* Limit font source loading locations */\ script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ; /* Limit scripts to those with nonces or transitive scripts */\ base-uri 'self' ; /* Limit the base tags to only source from current server */\ + ${UPGRADE.SECURE.REQUESTS} /* Conditionally add upgrade-secure-requests directive if HTTPS is required */\ frame-ancestors 'self' ; /* Limit iframe content destinations (who can load this server's content into an iframe) */\ frame-src 'self' ${FRAME.SOURCES} ; /* Limit iframe content sources (from what servers can this server's iframe content be loaded) */\ - report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */ + report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r12&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the local server */ ## END OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT) ## Use a custom logging configuration diff --git a/server/embedded/src/org/labkey/embedded/LabKeyServer.java b/server/embedded/src/org/labkey/embedded/LabKeyServer.java index 0ed7ce5d14..45f0b3e53f 100644 --- a/server/embedded/src/org/labkey/embedded/LabKeyServer.java +++ b/server/embedded/src/org/labkey/embedded/LabKeyServer.java @@ -66,6 +66,21 @@ public static void main(String[] args) SpringApplication application = new SpringApplication(LabKeyServer.class); application.addListeners(new ApplicationPidFileWriter("./labkey.pid")); + // A strong Content Security Policy that reports violations to this server + String strongCsp = """ + default-src 'self' ; + connect-src 'self' ${CONNECTION.SOURCES} ; + object-src 'none' ; + style-src 'self' 'unsafe-inline' ${STYLE.SOURCES} ; + img-src 'self' data: ${IMAGE.SOURCES} ; + font-src 'self' data: ${FONT.SOURCES} ; + script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ; + base-uri 'self' ; + ${UPGRADE.SECURE.REQUESTS} + frame-ancestors 'self' ; + frame-src 'self' ${FRAME.SOURCES} ; + report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r12&${CSP.REPORT.PARAMS} + """; application.setDefaultProperties(Map.of( "server.tomcat.basedir", ".", "server.tomcat.accesslog.directory", logHome, @@ -81,20 +96,7 @@ public static void main(String[] args) "server.error.include-stacktrace", "never", "server.error.include-message", "always", - // A strong report-only Content Security Policy that reports violations to this server - "csp.report", """ - default-src 'self' ; - connect-src 'self' ${CONNECTION.SOURCES} ; - object-src 'none' ; - style-src 'self' 'unsafe-inline' ${STYLE.SOURCES} ; - img-src 'self' data: ${IMAGE.SOURCES} ; - font-src 'self' data: ${FONT.SOURCES} ; - script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ; - base-uri 'self' ; - frame-ancestors 'self' ; - frame-src 'self' ${FRAME.SOURCES} ; - report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r11&${CSP.REPORT.PARAMS} - """ + "csp.report", strongCsp )); application.setBannerMode(Banner.Mode.OFF); application.run(args); From de967d6126793a519ea759aca7abb62b6e72f6c6 Mon Sep 17 00:00:00 2001 From: labkey-jeckels Date: Tue, 13 May 2025 17:39:42 -0700 Subject: [PATCH 2/2] Fix typo in upgrade-insecure-requests --- server/configs/application.properties | 3 +-- server/embedded/src/org/labkey/embedded/LabKeyServer.java | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/server/configs/application.properties b/server/configs/application.properties index 9c5013539b..17af72d480 100644 --- a/server/configs/application.properties +++ b/server/configs/application.properties @@ -132,7 +132,7 @@ management.server.port=@@shutdownPort@@ #useLocalBuild# font-src 'self' data: ${FONT.SOURCES} ; /* Limit font source loading locations */\ #useLocalBuild# script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ; /* Limit scripts to those with nonces or transitive scripts */\ #useLocalBuild# base-uri 'self' ; /* Limit the base tags to only source from current server */\ -#useLocalBuild# ${UPGRADE.SECURE.REQUESTS} /* Conditionally add upgrade-secure-requests directive if HTTPS is required */\ +#useLocalBuild# ${UPGRADE.INSECURE.REQUESTS} /* Conditionally add upgrade-secure-requests directive if HTTPS is required */\ #useLocalBuild# frame-ancestors 'self' ; /* Limit iframe content destinations (who can load this server's content into an iframe) */\ #useLocalBuild# frame-src 'self' ${FRAME.SOURCES} ; /* Limit iframe content sources (from what servers can this server's iframe content be loaded) */\ #useLocalBuild# report-uri /admin-contentSecurityPolicyReport.api?cspVersion=e12&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the local server */ @@ -148,7 +148,6 @@ csp.report=\ font-src 'self' data: ${FONT.SOURCES} ; /* Limit font source loading locations */\ script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ; /* Limit scripts to those with nonces or transitive scripts */\ base-uri 'self' ; /* Limit the base tags to only source from current server */\ - ${UPGRADE.SECURE.REQUESTS} /* Conditionally add upgrade-secure-requests directive if HTTPS is required */\ frame-ancestors 'self' ; /* Limit iframe content destinations (who can load this server's content into an iframe) */\ frame-src 'self' ${FRAME.SOURCES} ; /* Limit iframe content sources (from what servers can this server's iframe content be loaded) */\ report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r12&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the local server */ diff --git a/server/embedded/src/org/labkey/embedded/LabKeyServer.java b/server/embedded/src/org/labkey/embedded/LabKeyServer.java index 45f0b3e53f..d28d1af2e7 100644 --- a/server/embedded/src/org/labkey/embedded/LabKeyServer.java +++ b/server/embedded/src/org/labkey/embedded/LabKeyServer.java @@ -76,7 +76,7 @@ public static void main(String[] args) font-src 'self' data: ${FONT.SOURCES} ; script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ; base-uri 'self' ; - ${UPGRADE.SECURE.REQUESTS} + ${UPGRADE.INSECURE.REQUESTS} frame-ancestors 'self' ; frame-src 'self' ${FRAME.SOURCES} ; report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r12&${CSP.REPORT.PARAMS}