Skip to content

Set strong CSP: enforce for development, report-only for production#1012

Merged
labkey-adam merged 2 commits intorelease25.3-SNAPSHOTfrom
25.3_fb_strong_csp
Mar 10, 2025
Merged

Set strong CSP: enforce for development, report-only for production#1012
labkey-adam merged 2 commits intorelease25.3-SNAPSHOTfrom
25.3_fb_strong_csp

Conversation

@labkey-adam
Copy link
Contributor

@labkey-adam labkey-adam commented Mar 7, 2025

Rationale

For 25.3, we've decided to configure CSP r11 (report-only) by default for all on-premise deployments and CSP e11 (enforce) for all development deployments

@labkey-jeckels
Copy link
Contributor

labkey-jeckels commented Mar 7, 2025

This is unlikely to actually impact existing installs. Should we instead or also make this the default in LabKeyServer.java, which can then be overridden as admins desire?

@labkey-adam
Copy link
Contributor Author

labkey-adam commented Mar 7, 2025

This is unlikely to actually impact existing installs. Should we instead or also make this the default in LabKeyServer.java, which can then be overridden as admins desire?

I don't actually know how these properties get applied on production servers. application.properties is ignored?

@labkey-adam
Copy link
Contributor Author

labkey-adam commented Mar 7, 2025

This is unlikely to actually impact existing installs. Should we instead or also make this the default in LabKeyServer.java, which can then be overridden as admins desire?

I don't actually know how these properties get applied on production servers. application.properties is ignored?

Oh, existing installs... because they don't replace application.properties every upgrade?

@labkey-jeckels
Copy link
Contributor

labkey-jeckels commented Mar 7, 2025

This is unlikely to actually impact existing installs. Should we instead or also make this the default in LabKeyServer.java, which can then be overridden as admins desire?

I don't actually know how these properties get applied on production servers. application.properties is ignored?

Oh, existing installs... because they don't replace application.properties every upgrade?

Exactly. It has their DB settings and other install-specific config. Ideally they might check the new version in the download and merge them together, but I doubt that happens very often

@labkey-adam
Copy link
Contributor Author

labkey-adam commented Mar 7, 2025

@labkey-jeckels please review the latest. I didn't see much value in keeping the comments in the code version.

labkey-jeckels
labkey-jeckels approved these changes Mar 7, 2025
View reviewed changes
Copy link
Contributor

@labkey-jeckels labkey-jeckels left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's unfortunate to have another copy of CSP checked in. Maybe we can soon have both a report and enforce specified solely in LabKeyServer.java. We'd need to conditionalize the report-uri

@labkey-adam labkey-adam merged commit 031de21 into release25.3-SNAPSHOT Mar 10, 2025
5 checks passed
@labkey-adam labkey-adam deleted the 25.3_fb_strong_csp branch March 10, 2025 18:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@labkey-jeckels labkey-jeckels labkey-jeckels approved these changes

@labkey-willm labkey-willm labkey-willm approved these changes

@labkey-tchad labkey-tchad Awaiting requested review from labkey-tchad

@labkey-matthewb labkey-matthewb Awaiting requested review from labkey-matthewb

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@labkey-adam @labkey-jeckels @labkey-willm