Conditionally add upgrade-secure-requests CSP directive

Author: labkey-adam

server/configs/application.properties

@@ -132,9 +132,10 @@ management.server.port=@@shutdownPort@@
 #useLocalBuild#    font-src 'self' data: ${FONT.SOURCES} ;                                                 /* Limit font source loading locations */\
 #useLocalBuild#    script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;             /* Limit scripts to those with nonces or transitive scripts */\
 #useLocalBuild#    base-uri 'self' ;                                                                       /* Limit the base tags to only source from current server */\
+#useLocalBuild#    ${UPGRADE.SECURE.REQUESTS}                                                              /* Conditionally add upgrade-secure-requests directive if HTTPS is required */\
 #useLocalBuild#    frame-ancestors 'self' ;                                                                /* Limit iframe content destinations (who can load this server's content into an iframe) */\
 #useLocalBuild#    frame-src 'self' ${FRAME.SOURCES} ;                                                     /* Limit iframe content sources (from what servers can this server's iframe content be loaded) */\
-#useLocalBuild#    report-uri /admin-contentSecurityPolicyReport.api?cspVersion=e11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */
+#useLocalBuild#    report-uri /admin-contentSecurityPolicyReport.api?cspVersion=e12&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the local server */
 ## END OF CSP ENFORCE BLOCK (DO NOT CHANGE THIS TEXT)
 
 ## START OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT)
@@ -147,9 +148,10 @@ csp.report=\
     font-src 'self' data: ${FONT.SOURCES} ;                                                 /* Limit font source loading locations */\
     script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;             /* Limit scripts to those with nonces or transitive scripts */\
     base-uri 'self' ;                                                                       /* Limit the base tags to only source from current server */\
+    ${UPGRADE.SECURE.REQUESTS}                                                              /* Conditionally add upgrade-secure-requests directive if HTTPS is required */\
     frame-ancestors 'self' ;                                                                /* Limit iframe content destinations (who can load this server's content into an iframe) */\
     frame-src 'self' ${FRAME.SOURCES} ;                                                     /* Limit iframe content sources (from what servers can this server's iframe content be loaded) */\
-    report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r11&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the supplied URL */
+    report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r12&${CSP.REPORT.PARAMS} ; /* Report any encountered CSP violations to the local server */
 ## END OF CSP REPORT BLOCK (DO NOT CHANGE THIS TEXT)
 
 ## Use a custom logging configuration

server/embedded/src/org/labkey/embedded/LabKeyServer.java

@@ -66,6 +66,21 @@ public static void main(String[] args)
 
         SpringApplication application = new SpringApplication(LabKeyServer.class);
         application.addListeners(new ApplicationPidFileWriter("./labkey.pid"));
+        // A strong Content Security Policy that reports violations to this server
+        String strongCsp = """
+                default-src 'self' ;
+                connect-src 'self' ${CONNECTION.SOURCES} ;
+                object-src 'none' ;
+                style-src 'self' 'unsafe-inline' ${STYLE.SOURCES} ;
+                img-src 'self' data: ${IMAGE.SOURCES} ;
+                font-src 'self' data: ${FONT.SOURCES} ;
+                script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;
+                base-uri 'self' ;
+                ${UPGRADE.SECURE.REQUESTS}
+                frame-ancestors 'self' ;
+                frame-src 'self' ${FRAME.SOURCES} ;
+                report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r12&${CSP.REPORT.PARAMS}
+            """;
         application.setDefaultProperties(Map.of(
                 "server.tomcat.basedir", ".",
                 "server.tomcat.accesslog.directory", logHome,
@@ -81,20 +96,7 @@ public static void main(String[] args)
                 "server.error.include-stacktrace", "never",
                 "server.error.include-message", "always",
 
-                // A strong report-only Content Security Policy that reports violations to this server
-                "csp.report", """
-                        default-src 'self' ;
-                        connect-src 'self' ${CONNECTION.SOURCES} ;
-                        object-src 'none' ;
-                        style-src 'self' 'unsafe-inline' ${STYLE.SOURCES} ;
-                        img-src 'self' data: ${IMAGE.SOURCES} ;
-                        font-src 'self' data: ${FONT.SOURCES} ;
-                        script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;
-                        base-uri 'self' ;
-                        frame-ancestors 'self' ;
-                        frame-src 'self' ${FRAME.SOURCES} ;
-                        report-uri /admin-contentSecurityPolicyReport.api?cspVersion=r11&${CSP.REPORT.PARAMS}
-                    """
+                "csp.report", strongCsp
         ));
         application.setBannerMode(Banner.Mode.OFF);
         application.run(args);