Skip to content

A couple more CSP enhancements #6809

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
labkey-adam merged 7 commits into from
Jul 8, 2025
Merged

A couple more CSP enhancements #6809

labkey-adam merged 7 commits into from
Jul 8, 2025

Conversation

@labkey-adam
Copy link
Contributor

@labkey-adam labkey-adam commented Jun 30, 2025
edited by labkey-robert
Loading

Rationale

Two enhancements to address strict CSP limitations:

  1. Ability to override object-src: 'none' ; directive, providing allowed hosts. https://www.labkey.org/home/Developer/issues/issues-details.view?issueId=53226
  2. Inject nonce attributes and values into R report HTML outputs that have <script> tags. https://www.labkey.org/home/Developer/issues/issues-details.view?issueId=53211

Related Pull Requests

Tasks

@labkey-adam labkey-adam requested review from a team and labkey-matthewb June 30, 2025 02:00
@labkey-adam labkey-adam mentioned this pull request Jun 30, 2025
Merged
@labkey-adam labkey-adam self-assigned this Jun 30, 2025
labkey-matthewb
labkey-matthewb reviewed Jun 30, 2025
View reviewed changes
api/src/org/labkey/api/reports/report/r/view/HtmlOutput.java
{
if (exists(file))
return PageFlowUtil.getFileContentsAsString(file);
return PageFlowUtil.addScriptNonces(PageFlowUtil.getFileContentsAsString(file));
Copy link
Contributor

@labkey-matthewb labkey-matthewb Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems fine. I'm curious about all the R caching scenarios, but I think this happens "late".

labkey-matthewb
labkey-matthewb reviewed Jun 30, 2025
View reviewed changes
api/src/org/labkey/api/util/PageFlowUtil.java
*/
public static String addScriptNonces(String html)
{
Document doc = JSoupUtil.convertHtmlToDocument(StringUtils.trimToEmpty(html), false, new LinkedList<>());
Copy link
Contributor

@labkey-matthewb labkey-matthewb Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Of course this will do various transformations to the code if it is not well-formed. I guess I'm alright with that.

@labkey-tchad labkey-tchad mentioned this pull request Jul 2, 2025
Merged
@labkey-adam labkey-adam changed the base branch from develop to release25.7-SNAPSHOT July 3, 2025 15:40
@labkey-adam labkey-adam merged commit be8ecbb into release25.7-SNAPSHOT Jul 8, 2025
10 checks passed
@labkey-adam labkey-adam deleted the fb_csp_issues branch July 8, 2025 17:11
@labkey-adam labkey-adam mentioned this pull request Jul 10, 2025
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@labkey-matthewb labkey-matthewb labkey-matthewb approved these changes

Assignees

@labkey-adam labkey-adam

@labkey-tchad labkey-tchad

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@labkey-adam @labkey-matthewb @labkey-tchad