From 2326a93b550fa1fa22a84a23fe7b8ff89ef9dcdd Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Wed, 14 May 2025 13:25:10 -0700
Subject: [PATCH] Enable a strong enforce CSP by default

---
 server/configs/application.properties         | 31 ---------------
 .../embedded/config/application.properties    | 31 ---------------
 .../src/org/labkey/embedded/LabKeyServer.java | 38 +++++++++++--------
 3 files changed, 23 insertions(+), 77 deletions(-)

diff --git a/server/configs/application.properties b/server/configs/application.properties
index 17af72d480..cb50699a21 100644
--- a/server/configs/application.properties
+++ b/server/configs/application.properties
@@ -122,37 +122,6 @@ management.server.port=@@shutdownPort@@
 #jsonaccesslog.condition-if=attributeName
 #jsonaccesslog.condition-unless=attributeName
 
-## START OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT)
-#useLocalBuild#csp.enforce=\
-#useLocalBuild#    default-src 'self' ;                                                                    /* Limit the default to only the current server */\
-#useLocalBuild#    connect-src 'self' ${CONNECTION.SOURCES} ;                                              /* Limit allowed connection sources */\
-#useLocalBuild#    object-src 'none' ;                                                                     /* These tags are not currently used by LKS */\
-#useLocalBuild#    style-src 'self' 'unsafe-inline' ${STYLE.SOURCES} ;                                     /* We currently have a few inline <style> tags that we are weeding out */\
-#useLocalBuild#    img-src 'self' data: ${IMAGE.SOURCES} ;                                                 /* Limit image loading locations */\
-#useLocalBuild#    font-src 'self' data: ${FONT.SOURCES} ;                                                 /* Limit font source loading locations */\
-#useLocalBuild#    script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;             /* Limit scripts to those with nonces or transitive scripts */\
-#useLocalBuild#    base-uri 'self' ;                                                                       /* Limit the base tags to only source from current server */\
-#useLocalBuild#    ${UPGRADE.INSECURE.REQUESTS}                                                            /* Conditionally add upgrade-secure-requests directive if HTTPS is required */\
-#useLocalBuild#    frame-ancestors 'self' ;                                                                /* Limit iframe content destinations (who can load this server's content into an iframe) */\
-#useLocalBuild#    frame-src 'self' ${FRAME.SOURCES} ;                                                     /* Limit iframe content sources (from what servers can this server's iframe content be loaded) */\
-#useLocalBuild#    report-uri /admin-contentSecurityPolicyReport.api?cspVersion=e12&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the local server */
-## END OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT)
-
-## START OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT)
-csp.report=\
-    default-src 'self' ;                                                                    /* Limit the default to only the current server */\
-    connect-src 'self' ${CONNECTION.SOURCES} ;                                              /* Limit allowed connection sources */\
-    object-src 'none' ;                                                                     /* These tags are not currently used by LKS */\
-    style-src 'self' 'unsafe-inline' ${STYLE.SOURCES} ;                                     /* We currently have a few inline <style> tags that we are weeding out */\
-    img-src 'self' data: ${IMAGE.SOURCES} ;                                                 /* Limit image loading locations */\
-    font-src 'self' data: ${FONT.SOURCES} ;                                                 /* Limit font source loading locations */\
-    script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;             /* Limit scripts to those with nonces or transitive scripts */\
-    base-uri 'self' ;                                                                       /* Limit the base tags to only source from current server */\
-    frame-ancestors 'self' ;                                                                /* Limit iframe content destinations (who can load this server's content into an iframe) */\
-    frame-src 'self' ${FRAME.SOURCES} ;                                                     /* Limit iframe content sources (from what servers can this server's iframe content be loaded) */\
-    report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r12&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the local server */
-## END OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT)
-
 ## Use a custom logging configuration
 #logging.config=path/to/alternative/log4j2.xml
 
diff --git a/server/configs/webapps/embedded/config/application.properties b/server/configs/webapps/embedded/config/application.properties
index 62d1459fa3..07a93674a8 100644
--- a/server/configs/webapps/embedded/config/application.properties
+++ b/server/configs/webapps/embedded/config/application.properties
@@ -107,34 +107,3 @@ mail.smtpUser=Anonymous
 ## property name after the "context.additionalWebapps." prefix, and the value is the location of the webapp on disk
 #context.additionalWebapps.firstContextPath=@@/my/webapp/path@@
 #context.additionalWebapps.secondContextPath=@@/my/other/webapp/path@@
-
-## Strong enforce content security policy. Uncomment this when you've tested the strong report-only policy (configured
-## by default via server code and shown below).
-#csp.enforce=\
-#    default-src 'self' ;                                                                    /* Limit the default to only the current server */\
-#    connect-src 'self' ${CONNECTION.SOURCES} ;                                              /* Limit allowed connection sources */\
-#    object-src 'none' ;                                                                     /* These tags are not currently used by LKS */\
-#    style-src 'self' 'unsafe-inline' ${STYLE.SOURCES} ;                                     /* We currently have a few inline <style> tags that we are weeding out */\
-#    img-src 'self' data: ${IMAGE.SOURCES} ;                                                 /* Limit image loading locations */\
-#    font-src 'self' data: ${FONT.SOURCES} ;                                                 /* Limit font source loading locations */\
-#    script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;             /* Limit scripts to those with nonces or transitive scripts */\
-#    base-uri 'self' ;                                                                       /* Limit the base tags to only source from current server */\
-#    frame-ancestors 'self' ;                                                                /* Limit iframe content destinations (who can load this server's content into an iframe) */\
-#    frame-src 'self' ${FRAME.SOURCES} ;                                                     /* Limit iframe content sources (from what servers can this server's iframe content be loaded) */\
-#    report-uri /admin-contentSecurityPolicyReport.api?cspVersion=e11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */
-
-## Strict report-only content security policy that reports violations to this server. This matches the default report
-## policy that's configured via server code; provided here to document the details and provide a starting point if
-## overriding the default CSP is needed. This CSP will become the default *enforce* policy for 25.4 and beyond.
-csp.report=\
-    default-src 'self' ;                                                                    /* Limit the default to only the current server */\
-    connect-src 'self' ${CONNECTION.SOURCES} ;                                              /* Limit allowed connection sources */\
-    object-src 'none' ;                                                                     /* These tags are not currently used by LKS */\
-    style-src 'self' 'unsafe-inline' ${STYLE.SOURCES} ;                                     /* We currently have a few inline <style> tags that we are weeding out */\
-    img-src 'self' data: ${IMAGE.SOURCES} ;                                                 /* Limit image loading locations */\
-    font-src 'self' data: ${FONT.SOURCES} ;                                                 /* Limit font source loading locations */\
-    script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;             /* Limit scripts to those with nonces or transitive scripts */\
-    base-uri 'self' ;                                                                       /* Limit the base tags to only source from current server */\
-    frame-ancestors 'self' ;                                                                /* Limit iframe content destinations (who can load this server's content into an iframe) */\
-    frame-src 'self' ${FRAME.SOURCES} ;                                                     /* Limit iframe content sources (from what servers can this server's iframe content be loaded) */\
-    report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */
diff --git a/server/embedded/src/org/labkey/embedded/LabKeyServer.java b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
index d28d1af2e7..569f871a76 100644
--- a/server/embedded/src/org/labkey/embedded/LabKeyServer.java
+++ b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
@@ -66,8 +66,8 @@ public static void main(String[] args)
 
         SpringApplication application = new SpringApplication(LabKeyServer.class);
         application.addListeners(new ApplicationPidFileWriter("./labkey.pid"));
-        // A strong Content Security Policy that reports violations to this server
-        String strongCsp = """
+        // A strong Content Security Policy
+        String baseCsp = """
                 default-src 'self' ;
                 connect-src 'self' ${CONNECTION.SOURCES} ;
                 object-src 'none' ;
@@ -76,27 +76,35 @@ public static void main(String[] args)
                 font-src 'self' data: ${FONT.SOURCES} ;
                 script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;
                 base-uri 'self' ;
+                frame-src 'self' ${FRAME.SOURCES} ;
+            """;
+        // Add upgrade_insecure_requests substitution, frame-ancestors, and e12 version for enforce CSP
+        String enforceCsp = baseCsp + """
                 ${UPGRADE.INSECURE.REQUESTS}
                 frame-ancestors 'self' ;
-                frame-src 'self' ${FRAME.SOURCES} ;
-                report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r12&${CSP.REPORT.PARAMS}
+                report-uri /admin-contentSecurityPolicyReport.api?cspVersion=e12&${CSP.REPORT.PARAMS} ;
+            """;
+        // Leave out upgrade_insecure_requests and frame-ancestors directives, since they produce warnings on some browsers
+        String reportCsp = baseCsp + """
+                report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r12&${CSP.REPORT.PARAMS} ;
             """;
         application.setDefaultProperties(Map.of(
-                "server.tomcat.basedir", ".",
-                "server.tomcat.accesslog.directory", logHome,
+            "server.tomcat.basedir", ".",
+            "server.tomcat.accesslog.directory", logHome,
 
-                // Enable HTTP compression for response content
-                "server.compression.enabled", "true",
+            // Enable HTTP compression for response content
+            "server.compression.enabled", "true",
 
-                "server.tomcat.accesslog.enabled", "true",
-                "server.tomcat.accesslog.pattern", "%h %l %u %t \"%r\" %s %b %D %S %I \"%{Referer}i\" \"%{User-Agent}i\" %{LABKEY.username}s %{X-Forwarded-For}i",
-                "jsonaccesslog.pattern", "%h %t %m %U %s %b %D %S \"%{Referer}i\" \"%{User-Agent}i\" %{LABKEY.username}s %{X-Forwarded-For}i",
+            "server.tomcat.accesslog.enabled", "true",
+            "server.tomcat.accesslog.pattern", "%h %l %u %t \"%r\" %s %b %D %S %I \"%{Referer}i\" \"%{User-Agent}i\" %{LABKEY.username}s %{X-Forwarded-For}i",
+            "jsonaccesslog.pattern", "%h %t %m %U %s %b %D %S \"%{Referer}i\" \"%{User-Agent}i\" %{LABKEY.username}s %{X-Forwarded-For}i",
 
-                // Issue 52415: Omit stack traces from Tomcat error pages by default, but propagate error messages
-                "server.error.include-stacktrace", "never",
-                "server.error.include-message", "always",
+            // Issue 52415: Omit stack traces from Tomcat error pages by default, but propagate error messages
+            "server.error.include-stacktrace", "never",
+            "server.error.include-message", "always",
 
-                "csp.report", strongCsp
+            "csp.enforce", enforceCsp,
+            "csp.report", reportCsp
         ));
         application.setBannerMode(Banner.Mode.OFF);
         application.run(args);