From ff6ea702eade2a61169bdfcbc4d3feaf6aea43f6 Mon Sep 17 00:00:00 2001 From: labkey-matthewb Date: Mon, 8 Jan 2024 13:42:34 -0800 Subject: [PATCH] update comments again --- .../src/org/labkey/filters/ContentSecurityPolicyFilter.java | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/server/bootstrap/src/org/labkey/filters/ContentSecurityPolicyFilter.java b/server/bootstrap/src/org/labkey/filters/ContentSecurityPolicyFilter.java index 64a8e29ed1..632fd10fe4 100644 --- a/server/bootstrap/src/org/labkey/filters/ContentSecurityPolicyFilter.java +++ b/server/bootstrap/src/org/labkey/filters/ContentSecurityPolicyFilter.java @@ -19,9 +19,7 @@ /** example usage, - NOTE: as of Jan 2024, browsers do not correctly handle the MDN recommended "report-to" directive. Furthermore, including both - report-uri and report-to directives breaks Chrome. So the current recommendation is to use the 'deprecated" report-uri - directive. + NOTE: LabKey does not yet support setting the "Report-To" header, so we do not support the report-to CSP directive. Example 1 : very strict, disallows 'external' websites, disallows unsafe-inline, but only reports violations (does not enforce) good for test automation!