From 86ee45f07af9fd8e1cc3450529f1f53b3bff681b Mon Sep 17 00:00:00 2001
From: Will Mooreston <willm@labkey.com>
Date: Thu, 20 Feb 2025 16:35:15 -0800
Subject: [PATCH] add stricter report policy for testing in LKSM

---
 .gitignore             |  1 +
 application.properties | 15 +++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/.gitignore b/.gitignore
index c62bde0..5a1c993 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,3 +11,4 @@ LabKey*.tar.gz
 startup/lims_starter-with-startup.properties
 startup/samplemanagement-with-startup.properties
 mounts/
+.DS_Store
diff --git a/application.properties b/application.properties
index 01033e4..dccc6be 100644
--- a/application.properties
+++ b/application.properties
@@ -178,5 +178,20 @@ csp.enforce=\
     report-uri https://www.labkey.org/admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;
 ## END OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT)
 
+## START OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT)
+csp.report=\
+    default-src 'self' ;                                                            /* Limit the default to only the current server */\
+    connect-src 'self' ${CONNECTION.SOURCES} ;                                      /* For security purposes limit allowed connection sources, can be substituted and appended via the LabKey Admin UI */\
+    object-src 'none' ;                                                             /* These tags are not currently used by LKS */\
+    style-src 'self' 'unsafe-inline' ${STYLE.SOURCES} ;                             /* We currently have a few inline <style> tags that we are weeding out */\
+    img-src 'self' data: ;                                                          /* Limit image loading locations */\
+    font-src 'self' data: ${FONT.SOURCES} ;                                         /* Limit font source loading locations */\
+    script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;     /* Limit scripts that are allowed to those with nonces or transitive scripts */\
+    base-uri 'self' ;                                                               /* Limit the base tags to only source from current server */\
+    frame-ancestors 'self' ;                                                        /* Only allow iframe resources to the current server */\
+    frame-src 'self' ${FRAME.SOURCES} ;                                             /* Only allow iframe resources from the current server plus explicitly declared external sources */\
+    report-uri https://www.labkey.org/admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;        /* Reports any encountered CSP conflicts to the supplied URL */
+## END OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT)
+
 ## Load optional application.properties if file exists - used for one-off labkey cloud use cases etc.
 spring.config.import=optional:file:${LABKEY_HOME}/config/optional.application.properties