From d2f1d58f955ae9823ef69858ae8ea0bacf9a6b73 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Thu, 20 Feb 2025 09:59:10 -0800
Subject: [PATCH 1/3] Add support for image-src external sources

---
 server/configs/application.properties | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/configs/application.properties b/server/configs/application.properties
index 527b1ce49a..ccfc3ca248 100644
--- a/server/configs/application.properties
+++ b/server/configs/application.properties
@@ -131,7 +131,7 @@ management.server.port=@@shutdownPort@@
 #useLocalBuild#    connect-src 'self' ${CONNECTION.SOURCES} ;\
 #useLocalBuild#    object-src 'none' ;\
 #useLocalBuild#    style-src 'self' https: 'unsafe-inline' ${STYLE.SOURCES} ;\
-#useLocalBuild#    img-src 'self' https: data: ;\
+#useLocalBuild#    img-src 'self' https: data: ${IMAGE.SOURCES} ;\
 #useLocalBuild#    font-src 'self' data: ${FONT.SOURCES} ;\
 #useLocalBuild#    script-src 'self' 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;\
 #useLocalBuild#    base-uri 'self' ;\
@@ -146,7 +146,7 @@ csp.report=\
     connect-src 'self' ${CONNECTION.SOURCES} ;                                      /* For security purposes limit allowed connection sources, can be substituted and appended via the LabKey Admin UI */\
     object-src 'none' ;                                                             /* These tags are not currently used by LKS */\
     style-src 'self' 'unsafe-inline' ${STYLE.SOURCES} ;                             /* We currently have a few inline <style> tags that we are weeding out */\
-    img-src 'self' data: ;                                                          /* Limit image loading locations */\
+    img-src 'self' data: ${IMAGE.SOURCES} ;                                         /* Limit image loading locations */\
     font-src 'self' data: ${FONT.SOURCES} ;                                         /* Limit font source loading locations */\
     script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;     /* Limit scripts that are allowed to those with nonces or transitive scripts */\
     base-uri 'self' ;                                                               /* Limit the base tags to only source from current server */\

From ba11a00b7238593931fb2fa1a104a8a0e2b724cf Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Thu, 20 Feb 2025 12:03:55 -0800
Subject: [PATCH 2/3] Add CSP version numbers

---
 server/configs/application.properties | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/server/configs/application.properties b/server/configs/application.properties
index ccfc3ca248..e73845c791 100644
--- a/server/configs/application.properties
+++ b/server/configs/application.properties
@@ -126,6 +126,7 @@ management.server.port=@@shutdownPort@@
 #jsonaccesslog.condition-unless=attributeName
 
 ## START OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT)
+## CSP Version: e10
 #useLocalBuild#csp.enforce=\
 #useLocalBuild#    default-src 'self' https: ;\
 #useLocalBuild#    connect-src 'self' ${CONNECTION.SOURCES} ;\
@@ -141,6 +142,7 @@ management.server.port=@@shutdownPort@@
 ## END OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT)
 
 ## START OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT)
+## CSP Version: r11
 csp.report=\
     default-src 'self' ;                                                            /* Limit the default to only the current server */\
     connect-src 'self' ${CONNECTION.SOURCES} ;                                      /* For security purposes limit allowed connection sources, can be substituted and appended via the LabKey Admin UI */\

From c1a8a3c04184a5afc92018f5e7d0aa3c10df0f04 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Thu, 20 Feb 2025 13:22:16 -0800
Subject: [PATCH 3/3] Add spaces, more pretty

---
 server/configs/application.properties | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/server/configs/application.properties b/server/configs/application.properties
index e73845c791..27a8d91a50 100644
--- a/server/configs/application.properties
+++ b/server/configs/application.properties
@@ -128,16 +128,16 @@ management.server.port=@@shutdownPort@@
 ## START OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT)
 ## CSP Version: e10
 #useLocalBuild#csp.enforce=\
-#useLocalBuild#    default-src 'self' https: ;\
-#useLocalBuild#    connect-src 'self' ${CONNECTION.SOURCES} ;\
-#useLocalBuild#    object-src 'none' ;\
-#useLocalBuild#    style-src 'self' https: 'unsafe-inline' ${STYLE.SOURCES} ;\
-#useLocalBuild#    img-src 'self' https: data: ${IMAGE.SOURCES} ;\
-#useLocalBuild#    font-src 'self' data: ${FONT.SOURCES} ;\
-#useLocalBuild#    script-src 'self' 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;\
-#useLocalBuild#    base-uri 'self' ;\
-#useLocalBuild#    frame-ancestors 'self' ;\
-#useLocalBuild#    frame-src 'self' ${FRAME.SOURCES} ;\
+#useLocalBuild#    default-src 'self' https: ; \
+#useLocalBuild#    connect-src 'self' ${CONNECTION.SOURCES} ; \
+#useLocalBuild#    object-src 'none' ; \
+#useLocalBuild#    style-src 'self' https: 'unsafe-inline' ${STYLE.SOURCES} ; \
+#useLocalBuild#    img-src 'self' https: data: ${IMAGE.SOURCES} ; \
+#useLocalBuild#    font-src 'self' data: ${FONT.SOURCES} ; \
+#useLocalBuild#    script-src 'self' 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ; \
+#useLocalBuild#    base-uri 'self' ; \
+#useLocalBuild#    frame-ancestors 'self' ; \
+#useLocalBuild#    frame-src 'self' ${FRAME.SOURCES} ; \
 #useLocalBuild#    report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;
 ## END OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT)