remove csp from app props so default is used

labkey-willm · labkey-willm · commit 0c1745597678 · 2025-05-16T09:35:59.000-07:00
diff --git a/application.properties b/application.properties
@@ -163,36 +163,5 @@ server.tomcat.max-threads=50
 server.servlet.session.timeout=60m
 context.workDirLocation=/work/Tomcat/localhost
 
-## START OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT)
-csp.enforce=\
-    default-src 'self' https: ; \
-    connect-src 'self' ${CONNECTION.SOURCES} ; \
-    object-src 'none' ; \
-    style-src 'self' https: 'unsafe-inline' ${STYLE.SOURCES} ; \
-    img-src 'self' https: data: ${IMAGE.SOURCES} ; \
-    font-src 'self' data: ${FONT.SOURCES} ; \
-    script-src 'self' 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ; \
-    base-uri 'self' ; \
-    upgrade-insecure-requests ;\
-    frame-ancestors 'self' ; \
-    frame-src 'self' ${FRAME.SOURCES} ; \
-    report-uri https://www.labkey.org/admin-contentSecurityPolicyReport.api?cspVersion=e10&${CSP.REPORT.PARAMS} ;
-## END OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT)
-
-## START OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT)
-csp.report=\
-    default-src 'self' ;                                                                    /* Limit the default to only the current server */\
-    connect-src 'self' ${CONNECTION.SOURCES} ;                                              /* Limit allowed connection sources */\
-    object-src 'none' ;                                                                     /* These tags are not currently used by LKS */\
-    style-src 'self' 'unsafe-inline' ${STYLE.SOURCES} ;                                     /* We currently have a few inline <style> tags that we are weeding out */\
-    img-src 'self' data: ${IMAGE.SOURCES} ;                                                 /* Limit image loading locations */\
-    font-src 'self' data: ${FONT.SOURCES} ;                                                 /* Limit font source loading locations */\
-    script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;             /* Limit scripts to those with nonces or transitive scripts */\
-    base-uri 'self' ;                                                                       /* Limit the base tags to only source from current server */\
-    frame-ancestors 'self' ;                                                                /* Limit iframe content destinations (who can load this server's content into an iframe) */\
-    frame-src 'self' ${FRAME.SOURCES} ;                                                     /* Limit iframe content sources (from what servers can this server's iframe content be loaded) */\
-    report-uri https://www.labkey.org/admin-contentSecurityPolicyReport.api?cspVersion=r11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */
-## END OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT)
-
 ## Load optional application.properties if file exists - used for one-off labkey cloud use cases etc.
 spring.config.import=optional:file:${LABKEY_HOME}/config/optional.application.properties
