From 9d0fbd7818d44c319de0f876f5ed35b4bc513e0c Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Thu, 19 Jun 2025 11:26:55 -0700 Subject: [PATCH 1/4] Issue 53319: CSP reports don't get written to the csp-report.log if using a contextPath --- server/configs/application.properties | 4 ++-- server/embedded/src/org/labkey/embedded/LabKeyServer.java | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/server/configs/application.properties b/server/configs/application.properties index 660e9d2f45..f2968c8041 100644 --- a/server/configs/application.properties +++ b/server/configs/application.properties @@ -140,7 +140,7 @@ management.server.port=@@shutdownPort@@ #useLocalBuild# base-uri 'self' ; /* Limit the base tags to only source from current server */\ #useLocalBuild# frame-ancestors 'self' ; /* Limit iframe content destinations (who can load this server's content into an iframe) */\ #useLocalBuild# frame-src 'self' ${FRAME.SOURCES} ; /* Limit iframe content sources (from what servers can this server's iframe content be loaded) */\ -#useLocalBuild# report-uri /admin-contentSecurityPolicyReport.api?cspVersion=e11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */ +#useLocalBuild# report-uri admin-contentSecurityPolicyReport.api?cspVersion=e11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */ ## END OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT) ## START OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT) @@ -155,7 +155,7 @@ csp.report=\ base-uri 'self' ; /* Limit the base tags to only source from current server */\ frame-ancestors 'self' ; /* Limit iframe content destinations (who can load this server's content into an iframe) */\ frame-src 'self' ${FRAME.SOURCES} ; /* Limit iframe content sources (from what servers can this server's iframe content be loaded) */\ - report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */ + report-uri admin-contentSecurityPolicyReport.api?cspVersion=r11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */ ## END OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT) ## Use a custom logging configuration diff --git a/server/embedded/src/org/labkey/embedded/LabKeyServer.java b/server/embedded/src/org/labkey/embedded/LabKeyServer.java index 8668045f69..899b76e277 100644 --- a/server/embedded/src/org/labkey/embedded/LabKeyServer.java +++ b/server/embedded/src/org/labkey/embedded/LabKeyServer.java @@ -94,7 +94,7 @@ public static void main(String[] args) base-uri 'self' ; frame-ancestors 'self' ; frame-src 'self' ${FRAME.SOURCES} ; - report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r11&${CSP.REPORT.PARAMS} + report-uri admin-contentSecurityPolicyReport.api?cspVersion=r11&${CSP.REPORT.PARAMS} """ )); application.setBannerMode(Banner.Mode.OFF); From ef9173c0077e87201da8442822268fefc5a50ae7 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Thu, 19 Jun 2025 11:34:49 -0700 Subject: [PATCH 2/4] Line up the comments --- server/configs/application.properties | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/configs/application.properties b/server/configs/application.properties index f2968c8041..7246d13282 100644 --- a/server/configs/application.properties +++ b/server/configs/application.properties @@ -140,7 +140,7 @@ management.server.port=@@shutdownPort@@ #useLocalBuild# base-uri 'self' ; /* Limit the base tags to only source from current server */\ #useLocalBuild# frame-ancestors 'self' ; /* Limit iframe content destinations (who can load this server's content into an iframe) */\ #useLocalBuild# frame-src 'self' ${FRAME.SOURCES} ; /* Limit iframe content sources (from what servers can this server's iframe content be loaded) */\ -#useLocalBuild# report-uri admin-contentSecurityPolicyReport.api?cspVersion=e11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */ +#useLocalBuild# report-uri admin-contentSecurityPolicyReport.api?cspVersion=e11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */ ## END OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT) ## START OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT) @@ -155,7 +155,7 @@ csp.report=\ base-uri 'self' ; /* Limit the base tags to only source from current server */\ frame-ancestors 'self' ; /* Limit iframe content destinations (who can load this server's content into an iframe) */\ frame-src 'self' ${FRAME.SOURCES} ; /* Limit iframe content sources (from what servers can this server's iframe content be loaded) */\ - report-uri admin-contentSecurityPolicyReport.api?cspVersion=r11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */ + report-uri admin-contentSecurityPolicyReport.api?cspVersion=r11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */ ## END OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT) ## Use a custom logging configuration From 0ef8c8debb43a04df3daae43189d7a54ffd3d516 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Thu, 19 Jun 2025 16:19:01 -0700 Subject: [PATCH 3/4] Revert changes to default CSP report-uris --- server/configs/application.properties | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/server/configs/application.properties b/server/configs/application.properties index 7246d13282..272a9f52dd 100644 --- a/server/configs/application.properties +++ b/server/configs/application.properties @@ -46,6 +46,7 @@ context.encryptionKey=@@encryptionKey@@ ## By default, we serve LabKey at the root context path (e.g. http://localhost:8080) ## You may customize the context path if you wish (e.g. http://localhost:8080/labkey) +## Context path value must start with a slash #context.contextPath=/labkey ## Using a legacy context path provides backwards compatibility with old deployments. A typical use case would be to @@ -140,7 +141,7 @@ management.server.port=@@shutdownPort@@ #useLocalBuild# base-uri 'self' ; /* Limit the base tags to only source from current server */\ #useLocalBuild# frame-ancestors 'self' ; /* Limit iframe content destinations (who can load this server's content into an iframe) */\ #useLocalBuild# frame-src 'self' ${FRAME.SOURCES} ; /* Limit iframe content sources (from what servers can this server's iframe content be loaded) */\ -#useLocalBuild# report-uri admin-contentSecurityPolicyReport.api?cspVersion=e11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */ +#useLocalBuild# report-uri /admin-contentSecurityPolicyReport.api?cspVersion=e11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */ ## END OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT) ## START OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT) @@ -155,7 +156,7 @@ csp.report=\ base-uri 'self' ; /* Limit the base tags to only source from current server */\ frame-ancestors 'self' ; /* Limit iframe content destinations (who can load this server's content into an iframe) */\ frame-src 'self' ${FRAME.SOURCES} ; /* Limit iframe content sources (from what servers can this server's iframe content be loaded) */\ - report-uri admin-contentSecurityPolicyReport.api?cspVersion=r11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */ + report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */ ## END OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT) ## Use a custom logging configuration From 88d88fe7841712f31c79dcb824bff23378bfe4c4 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Thu, 19 Jun 2025 16:19:55 -0700 Subject: [PATCH 4/4] Update server/embedded/src/org/labkey/embedded/LabKeyServer.java Co-authored-by: Trey Chadick --- server/embedded/src/org/labkey/embedded/LabKeyServer.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/embedded/src/org/labkey/embedded/LabKeyServer.java b/server/embedded/src/org/labkey/embedded/LabKeyServer.java index 899b76e277..69fe7bfee5 100644 --- a/server/embedded/src/org/labkey/embedded/LabKeyServer.java +++ b/server/embedded/src/org/labkey/embedded/LabKeyServer.java @@ -94,7 +94,7 @@ public static void main(String[] args) base-uri 'self' ; frame-ancestors 'self' ; frame-src 'self' ${FRAME.SOURCES} ; - report-uri admin-contentSecurityPolicyReport.api?cspVersion=r11&${CSP.REPORT.PARAMS} + report-uri ${context.contextPath:}/admin-contentSecurityPolicyReport.api?cspVersion=r11&${CSP.REPORT.PARAMS} """ )); application.setBannerMode(Banner.Mode.OFF);