From bcf899fabc51ac89446ebf016fc6ae4f87f344a6 Mon Sep 17 00:00:00 2001
From: ian <ians@labkey.com>
Date: Mon, 17 Feb 2025 15:55:03 -0800
Subject: [PATCH 1/4] add comments to help explain usages of the various CSP
 declarations -- Note: comments are removed during application deployment

---
 server/configs/application.properties | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/server/configs/application.properties b/server/configs/application.properties
index 440252a61e..668be0e28a 100644
--- a/server/configs/application.properties
+++ b/server/configs/application.properties
@@ -125,6 +125,7 @@ management.server.port=@@shutdownPort@@
 #jsonaccesslog.condition-if=attributeName
 #jsonaccesslog.condition-unless=attributeName
 
+#### Example enforced CSP for local development
 ## START OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT)
 #useLocalBuild#csp.enforce=\
 #useLocalBuild#    default-src 'self' https: ;\
@@ -141,16 +142,16 @@ management.server.port=@@shutdownPort@@
 
 ## START OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT)
 csp.report=\
-    default-src 'self' ;\
-    connect-src 'self' ${LABKEY.ALLOWED.CONNECTIONS} ;\
-    object-src 'none' ;\
-    style-src 'self' 'unsafe-inline' ;\
-    img-src 'self' data: ;\
-    font-src 'self' data: ;\
-    script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;\
-    base-uri 'self' ;\
-    frame-ancestors 'self' ;\
-    report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;
+    default-src 'self' ;                                                            /* Default sourcing locations for resources if explicit declarations not present */\
+    connect-src 'self' ${LABKEY.ALLOWED.CONNECTIONS} ;                              /* Allowed connection sources, can be substituted and appended via the LabKey Admin UI */\
+    object-src 'none' ;                                                             /* Allowed sources for object, embed, and applet tags */\
+    style-src 'self' 'unsafe-inline' ;                                              /* Allowed sources for style tags */\
+    img-src 'self' data: ;                                                          /* Allowed sources for imgages */\
+    font-src 'self' data: ;                                                         /* Allowed font sources */\
+    script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;     /* Allowed sources for script tags */\
+    base-uri 'self' ;                                                               /* Allowed sources for base tags */\
+    frame-ancestors 'self' ;                                                        /* Allowed sources for embeded and other framed resourcees */\
+    report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;        /* Enables browser generated reports of any encountered CSP conflicts to the supplied URL */
 ## END OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT)
 
 ## Use a custom logging configuration

From 3ddef1f97bafda9fc469924f08ad280c7ab35ac8 Mon Sep 17 00:00:00 2001
From: ian <ians@labkey.com>
Date: Tue, 18 Feb 2025 11:36:23 -0800
Subject: [PATCH 2/4] Adjust comment for frame-ancestors directive

---
 server/configs/application.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/configs/application.properties b/server/configs/application.properties
index 668be0e28a..d39aaa5d74 100644
--- a/server/configs/application.properties
+++ b/server/configs/application.properties
@@ -150,7 +150,7 @@ csp.report=\
     font-src 'self' data: ;                                                         /* Allowed font sources */\
     script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;     /* Allowed sources for script tags */\
     base-uri 'self' ;                                                               /* Allowed sources for base tags */\
-    frame-ancestors 'self' ;                                                        /* Allowed sources for embeded and other framed resourcees */\
+    frame-ancestors 'self' ;                                                        /* Allowed parents for embedding or framing the current resource */\
     report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;        /* Enables browser generated reports of any encountered CSP conflicts to the supplied URL */
 ## END OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT)
 

From 121890d18da2b6cf880887720a348aff7f9a95e5 Mon Sep 17 00:00:00 2001
From: ian <ians@labkey.com>
Date: Tue, 18 Feb 2025 11:43:00 -0800
Subject: [PATCH 3/4] Remove "example" comment for the enforce property

---
 server/configs/application.properties | 1 -
 1 file changed, 1 deletion(-)

diff --git a/server/configs/application.properties b/server/configs/application.properties
index d39aaa5d74..8e885167ea 100644
--- a/server/configs/application.properties
+++ b/server/configs/application.properties
@@ -125,7 +125,6 @@ management.server.port=@@shutdownPort@@
 #jsonaccesslog.condition-if=attributeName
 #jsonaccesslog.condition-unless=attributeName
 
-#### Example enforced CSP for local development
 ## START OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT)
 #useLocalBuild#csp.enforce=\
 #useLocalBuild#    default-src 'self' https: ;\

From 87180fd605f01c9170444494dbcd3028e1bcc9d1 Mon Sep 17 00:00:00 2001
From: ian <ians@labkey.com>
Date: Tue, 18 Feb 2025 11:57:05 -0800
Subject: [PATCH 4/4] Modify comments to be more about the current settings
 then general CSP help

---
 server/configs/application.properties | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/server/configs/application.properties b/server/configs/application.properties
index 8e885167ea..3cd35fa915 100644
--- a/server/configs/application.properties
+++ b/server/configs/application.properties
@@ -141,16 +141,16 @@ management.server.port=@@shutdownPort@@
 
 ## START OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT)
 csp.report=\
-    default-src 'self' ;                                                            /* Default sourcing locations for resources if explicit declarations not present */\
-    connect-src 'self' ${LABKEY.ALLOWED.CONNECTIONS} ;                              /* Allowed connection sources, can be substituted and appended via the LabKey Admin UI */\
-    object-src 'none' ;                                                             /* Allowed sources for object, embed, and applet tags */\
-    style-src 'self' 'unsafe-inline' ;                                              /* Allowed sources for style tags */\
-    img-src 'self' data: ;                                                          /* Allowed sources for imgages */\
-    font-src 'self' data: ;                                                         /* Allowed font sources */\
-    script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;     /* Allowed sources for script tags */\
-    base-uri 'self' ;                                                               /* Allowed sources for base tags */\
-    frame-ancestors 'self' ;                                                        /* Allowed parents for embedding or framing the current resource */\
-    report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;        /* Enables browser generated reports of any encountered CSP conflicts to the supplied URL */
+    default-src 'self' ;                                                            /* Limit the default to only the current server */\
+    connect-src 'self' ${LABKEY.ALLOWED.CONNECTIONS} ;                              /* For security purposes limit allowed connection sources, can be substituted and appended via the LabKey Admin UI */\
+    object-src 'none' ;                                                             /* These tags are not currently used by LKS */\
+    style-src 'self' 'unsafe-inline' ;                                              /* We currently have a few inline <style> tags that we are weeding out */\
+    img-src 'self' data: ;                                                          /* Limit image loading locations */\
+    font-src 'self' data: ;                                                         /* Limit font source loading locations */\
+    script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;     /* Limit scripts that are allowed to those with nonces or transitive scripts */\
+    base-uri 'self' ;                                                               /* Limit the base tags to only source from current server */\
+    frame-ancestors 'self' ;                                                        /* Only allow embedding resources to the current server */\
+    report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;        /* Reports any encountered CSP conflicts to the supplied URL */
 ## END OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT)
 
 ## Use a custom logging configuration