Skip to content

Comments

Stop sending labkeyVersion in our CSPs#7432

Merged
labkey-adam merged 2 commits intodevelopfrom
fb_csp_no_version
Feb 19, 2026
Merged

Stop sending labkeyVersion in our CSPs#7432
labkey-adam merged 2 commits intodevelopfrom
fb_csp_no_version

Conversation

@labkey-adam
Copy link
Contributor

@labkey-adam labkey-adam commented Feb 18, 2026
edited
Loading

Rationale

https://github.com/LabKey/internal-issues/issues/858

Also, support browsers (e.g., Safari) that post individual JSON reports in addition to those (e.g., Chrome) that post an array of JSON reports

labkey-jeckels
labkey-jeckels reviewed Feb 19, 2026
View reviewed changes
Copy link
Contributor

@labkey-jeckels labkey-jeckels left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Testing locally, the CSP doesn't have the version in it anymore, as intended.

However, when I have a CSP violation and it's reported, my local server gives a 400 reply to admin-contentSecurityPolicyReportTo.view?cspVersion=e14:

{
    "exception": "Error binding property: Cannot deserialize value of type `org.labkey.core.admin.AdminController$ReportToJsonObjects` from Object value (token `JsonToken.START_OBJECT`)\n at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 1]",
    "success": false,
    "errors": [
        {
            "msg": "Error binding property: Cannot deserialize value of type `org.labkey.core.admin.AdminController$ReportToJsonObjects` from Object value (token `JsonToken.START_OBJECT`)\n at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 1]",
            "severity": "Error",
            "field": "form",
            "id": "form",
            "message": "Error binding property: Cannot deserialize value of type `org.labkey.core.admin.AdminController$ReportToJsonObjects` from Object value (token `JsonToken.START_OBJECT`)\n at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 1]"
        }
    ]
}

@labkey-jeckels
Copy link
Contributor

labkey-jeckels commented Feb 19, 2026

Testing locally, the CSP doesn't have the version in it anymore, as intended.

However, when I have a CSP violation and it's reported, my local server gives a 400 reply to admin-contentSecurityPolicyReportTo.view?cspVersion=e14:

{
    "exception": "Error binding property: Cannot deserialize value of type `org.labkey.core.admin.AdminController$ReportToJsonObjects` from Object value (token `JsonToken.START_OBJECT`)\n at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 1]",
    "success": false,
    "errors": [
        {
            "msg": "Error binding property: Cannot deserialize value of type `org.labkey.core.admin.AdminController$ReportToJsonObjects` from Object value (token `JsonToken.START_OBJECT`)\n at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 1]",
            "severity": "Error",
            "field": "form",
            "id": "form",
            "message": "Error binding property: Cannot deserialize value of type `org.labkey.core.admin.AdminController$ReportToJsonObjects` from Object value (token `JsonToken.START_OBJECT`)\n at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 1]"
        }
    ]
}

Chrome seems to work. Safari doesn't, likely predating this change. Here's what it's trying to POST:

{
    "type": "csp-violation",
    "url": "https://jeckels.labkey.com/home/wiki-page.view?name=inlineScript",
    "body": {
        "documentURL": "https://jeckels.labkey.com/home/wiki-page.view?name=inlineScript",
        "disposition": "enforce",
        "referrer": "https://jeckels.labkey.com/home/wiki-page.view?name=default",
        "effectiveDirective": "script-src-attr",
        "blockedURL": "inline",
        "originalPolicy": "default-src 'self' ; connect-src 'self' localhost:3001 ws://localhost:3001 webpack: https://code.jquery.com/ui/1.13.2/jquery-ui.min.js ; object-src 'self' ; style-src 'self' 'unsafe-inline' https://cdn.datatables.net ; img-src 'self' data:  ; font-src 'self' data: localhost:3001 https://mathjax.rstudio.com ; script-src 'unsafe-eval' 'strict-dynamic' 'nonce-b070ec06d019473c'  ; base-uri 'self' ; frame-src 'self' https://player.vimeo.com ;  frame-ancestors 'self' ; report-uri /admin-contentSecurityPolicyReport.api?cspVersion=e14 ; report-to csp-enforce ;",
        "statusCode": 200,
        "sample": "",
        "sourceFile": "https://jeckels.labkey.com/home/wiki-page.view?name=inlineScript",
        "lineNumber": 392,
        "columnNumber": 1
    }
}

@labkey-adam
Copy link
Contributor Author

labkey-adam commented Feb 19, 2026

Testing locally, the CSP doesn't have the version in it anymore, as intended.
However, when I have a CSP violation and it's reported, my local server gives a 400 reply to admin-contentSecurityPolicyReportTo.view?cspVersion=e14:

{
    "exception": "Error binding property: Cannot deserialize value of type `org.labkey.core.admin.AdminController$ReportToJsonObjects` from Object value (token `JsonToken.START_OBJECT`)\n at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 1]",
    "success": false,
    "errors": [
        {
            "msg": "Error binding property: Cannot deserialize value of type `org.labkey.core.admin.AdminController$ReportToJsonObjects` from Object value (token `JsonToken.START_OBJECT`)\n at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 1]",
            "severity": "Error",
            "field": "form",
            "id": "form",
            "message": "Error binding property: Cannot deserialize value of type `org.labkey.core.admin.AdminController$ReportToJsonObjects` from Object value (token `JsonToken.START_OBJECT`)\n at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 1]"
        }
    ]
}

Chrome seems to work. Safari doesn't, likely predating this change. Here's what it's trying to POST:

{
    "type": "csp-violation",
    "url": "https://jeckels.labkey.com/home/wiki-page.view?name=inlineScript",
    "body": {
        "documentURL": "https://jeckels.labkey.com/home/wiki-page.view?name=inlineScript",
        "disposition": "enforce",
        "referrer": "https://jeckels.labkey.com/home/wiki-page.view?name=default",
        "effectiveDirective": "script-src-attr",
        "blockedURL": "inline",
        "originalPolicy": "default-src 'self' ; connect-src 'self' localhost:3001 ws://localhost:3001 webpack: https://code.jquery.com/ui/1.13.2/jquery-ui.min.js ; object-src 'self' ; style-src 'self' 'unsafe-inline' https://cdn.datatables.net ; img-src 'self' data:  ; font-src 'self' data: localhost:3001 https://mathjax.rstudio.com ; script-src 'unsafe-eval' 'strict-dynamic' 'nonce-b070ec06d019473c'  ; base-uri 'self' ; frame-src 'self' https://player.vimeo.com ;  frame-ancestors 'self' ; report-uri /admin-contentSecurityPolicyReport.api?cspVersion=e14 ; report-to csp-enforce ;",
        "statusCode": 200,
        "sample": "",
        "sourceFile": "https://jeckels.labkey.com/home/wiki-page.view?name=inlineScript",
        "lineNumber": 392,
        "columnNumber": 1
    }
}

Okay, so Chrome and Firefox always post an array of JSON objects. Apparently Safari posts single objects. That's annoying, but glad you caught it.

@labkey-adam
Support browsers (e.g., Safari) that post individual JSON reports in …
4eb0ed2 
…addition to those (e.g., Chrome) that post an array of JSON reports
@labkey-adam
Copy link
Contributor Author

labkey-adam commented Feb 19, 2026

@labkey-jeckels can you test this locally against Safari? Current version is no longer supported on Windows.

I did test your JSON example via the query-apiTest action.

@labkey-jeckels
Copy link
Contributor

labkey-jeckels commented Feb 19, 2026

@labkey-jeckels can you test this locally against Safari? Current version is no longer supported on Windows.

I did test your JSON example via the query-apiTest action.

Confirmed on Safari, Chrome, and Firefox.

@labkey-adam labkey-adam merged commit 884fa58 into develop Feb 19, 2026
9 checks passed
@labkey-adam labkey-adam deleted the fb_csp_no_version branch February 19, 2026 23:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@labkey-jeckels labkey-jeckels labkey-jeckels approved these changes

@labkey-matthewb labkey-matthewb labkey-matthewb approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@labkey-adam @labkey-jeckels @labkey-matthewb