From a261be6b50003665fb8316b4b3d02cc1fe92e67d Mon Sep 17 00:00:00 2001
From: bbimber <bbimber@gmail.com>
Date: Tue, 16 Sep 2025 06:53:16 -0700
Subject: [PATCH 1/2] Support Directive.Script in
 ContentSecurityPolicyFilter.registerAllowedSources

---
 server/embedded/src/org/labkey/embedded/LabKeyServer.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/embedded/src/org/labkey/embedded/LabKeyServer.java b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
index e716072caf..e32830258e 100644
--- a/server/embedded/src/org/labkey/embedded/LabKeyServer.java
+++ b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
@@ -74,6 +74,7 @@ public static void main(String[] args)
                 object-src ${OBJECT.SOURCES} ;  /* Substitution value defaults to 'none' unless overridden by an admin */
                 style-src 'self' 'unsafe-inline' ${STYLE.SOURCES} ;
                 img-src 'self' data: ${IMAGE.SOURCES} ;
+                script-src-elem 'self' ${SCRIPT.SOURCES} ;
                 font-src 'self' data: ${FONT.SOURCES} ;
                 script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;
                 base-uri 'self' ;

From 6846b534b57cfba3efa3da65bea6775a4c15255a Mon Sep 17 00:00:00 2001
From: bbimber <bbimber@gmail.com>
Date: Wed, 17 Sep 2025 11:54:45 -0700
Subject: [PATCH 2/2] Update script-src pattern

---
 server/embedded/src/org/labkey/embedded/LabKeyServer.java | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/server/embedded/src/org/labkey/embedded/LabKeyServer.java b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
index e32830258e..b6e9b38acf 100644
--- a/server/embedded/src/org/labkey/embedded/LabKeyServer.java
+++ b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
@@ -74,9 +74,8 @@ public static void main(String[] args)
                 object-src ${OBJECT.SOURCES} ;  /* Substitution value defaults to 'none' unless overridden by an admin */
                 style-src 'self' 'unsafe-inline' ${STYLE.SOURCES} ;
                 img-src 'self' data: ${IMAGE.SOURCES} ;
-                script-src-elem 'self' ${SCRIPT.SOURCES} ;
                 font-src 'self' data: ${FONT.SOURCES} ;
-                script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;
+                script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ${SCRIPT.SOURCES} ;
                 base-uri 'self' ;
                 frame-src 'self' ${FRAME.SOURCES} ;
             """;