CSP reports don't get reported locally if using a contextPath#1101
CSP reports don't get reported locally if using a contextPath#1101labkey-adam merged 4 commits intorelease25.3-SNAPSHOTfrom
Conversation
…sing a contextPath
labkey-adam
requested review from
labkey-matthewb,
labkey-mohara and
labkey-willm
labkey-matthewb
left a comment
labkey-matthewb
left a comment
There was a problem hiding this comment.
On second thought, this might not be right. This CSP will also be used for static pages. In that case this might be a nonsense URL. E.g. looks like an ActionURL with an improper container path.
There was a problem hiding this comment.
The CSPs in application.properties are only used for dev enlistments, which use a root contextPath without some modification to the file. If they do that, I think it's reasonable to expect them to modify the CSP as well.
The CSP defined in Java has access to the contextPath and could just include it in the CSP's report-uri, right?
labkey-tchad
left a comment
labkey-tchad
left a comment
There was a problem hiding this comment.
Spring boot support property interpolation. If we prepend the report URI with ${context.contextPath:}, it will fill in the context path (if it is defined)
Given that these are dev-only and short lived (removed starting in 25.6), and the fact that @labkey-willm automation relies on this URI (I think), I'm going to leave the |
Co-authored-by: Trey Chadick <tchad@labkey.com>
Approach was changed to continue to use an absolute URI but explicitly include the context path |
3 participants
Rationale
https://www.labkey.org/home/Developer/issues/issues-details.view?issueId=53319
Adding the context path to the
report-uridoes the trick -- tested both with and without a context path. Note: for this to work correctly, any providedcontextPathvalue must start with a slash. Credit to @labkey-tchad for current approach.Related Pull Requests