From 351de11f7311d34bb722087e27dcede64b51024e Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Mon, 24 Feb 2025 10:59:56 -0800
Subject: [PATCH 1/2] Add cspVersion parameter to CSPs

---
 server/configs/application.properties | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/server/configs/application.properties b/server/configs/application.properties
index 27a8d91a50..70230367a1 100644
--- a/server/configs/application.properties
+++ b/server/configs/application.properties
@@ -138,23 +138,23 @@ management.server.port=@@shutdownPort@@
 #useLocalBuild#    base-uri 'self' ; \
 #useLocalBuild#    frame-ancestors 'self' ; \
 #useLocalBuild#    frame-src 'self' ${FRAME.SOURCES} ; \
-#useLocalBuild#    report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;
+#useLocalBuild#    report-uri /admin-contentSecurityPolicyReport.api?cspVersion=e10&${CSP.REPORT.PARAMS} ;
 ## END OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT)
 
 ## START OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT)
 ## CSP Version: r11
 csp.report=\
-    default-src 'self' ;                                                            /* Limit the default to only the current server */\
-    connect-src 'self' ${CONNECTION.SOURCES} ;                                      /* For security purposes limit allowed connection sources, can be substituted and appended via the LabKey Admin UI */\
-    object-src 'none' ;                                                             /* These tags are not currently used by LKS */\
-    style-src 'self' 'unsafe-inline' ${STYLE.SOURCES} ;                             /* We currently have a few inline <style> tags that we are weeding out */\
-    img-src 'self' data: ${IMAGE.SOURCES} ;                                         /* Limit image loading locations */\
-    font-src 'self' data: ${FONT.SOURCES} ;                                         /* Limit font source loading locations */\
-    script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;     /* Limit scripts that are allowed to those with nonces or transitive scripts */\
-    base-uri 'self' ;                                                               /* Limit the base tags to only source from current server */\
-    frame-ancestors 'self' ;                                                        /* Only allow iframe resources to the current server */\
-    frame-src 'self' ${FRAME.SOURCES} ;                                             /* Only allow iframe resources from the current server plus explicitly declared external sources */\
-    report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;        /* Reports any encountered CSP conflicts to the supplied URL */
+    default-src 'self' ;                                                                    /* Limit the default to only the current server */\
+    connect-src 'self' ${CONNECTION.SOURCES} ;                                              /* Limit allowed connection sources */\
+    object-src 'none' ;                                                                     /* These tags are not currently used by LKS */\
+    style-src 'self' 'unsafe-inline' ${STYLE.SOURCES} ;                                     /* We currently have a few inline <style> tags that we are weeding out */\
+    img-src 'self' data: ${IMAGE.SOURCES} ;                                                 /* Limit image loading locations */\
+    font-src 'self' data: ${FONT.SOURCES} ;                                                 /* Limit font source loading locations */\
+    script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;             /* Limit scripts to those with nonces or transitive scripts */\
+    base-uri 'self' ;                                                                       /* Limit the base tags to only source from current server */\
+    frame-ancestors 'self' ;                                                                /* Limit iframe content destinations (who can load this server's content into an iframe) */\
+    frame-src 'self' ${FRAME.SOURCES} ;                                                     /* Limit iframe content sources (from what servers can this server's iframe content be loaded) */\
+    report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */
 ## END OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT)
 
 ## Use a custom logging configuration

From 1191d2a4cb16304994dfba02271069c22415940f Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Mon, 24 Feb 2025 12:47:18 -0800
Subject: [PATCH 2/2] Turn CSP_FILTERS into a Map. Attempt to determine
 cspVersion of each CSP and report them via metrics.

---
 server/configs/application.properties | 2 --
 1 file changed, 2 deletions(-)

diff --git a/server/configs/application.properties b/server/configs/application.properties
index 70230367a1..fd8927e2fe 100644
--- a/server/configs/application.properties
+++ b/server/configs/application.properties
@@ -126,7 +126,6 @@ management.server.port=@@shutdownPort@@
 #jsonaccesslog.condition-unless=attributeName
 
 ## START OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT)
-## CSP Version: e10
 #useLocalBuild#csp.enforce=\
 #useLocalBuild#    default-src 'self' https: ; \
 #useLocalBuild#    connect-src 'self' ${CONNECTION.SOURCES} ; \
@@ -142,7 +141,6 @@ management.server.port=@@shutdownPort@@
 ## END OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT)
 
 ## START OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT)
-## CSP Version: r11
 csp.report=\
     default-src 'self' ;                                                                    /* Limit the default to only the current server */\
     connect-src 'self' ${CONNECTION.SOURCES} ;                                              /* Limit allowed connection sources */\