From 7591ab70d006eface09fc3ad6b7c7fdf18cecfb0 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Wed, 3 Jun 2026 10:57:52 -0700
Subject: [PATCH 1/3] Admin option to customize frame-ancestors

---
 .../org/labkey/api/security/Directive.java    |  1 +
 .../filters/ContentSecurityPolicyFilter.java  | 41 ++++++++++++++++---
 .../labkey/core/admin/AdminController.java    | 35 ++++++++++++++--
 3 files changed, 68 insertions(+), 9 deletions(-)

diff --git a/api/src/org/labkey/api/security/Directive.java b/api/src/org/labkey/api/security/Directive.java
index ba150f9487e..3f10b07f926 100644
--- a/api/src/org/labkey/api/security/Directive.java
+++ b/api/src/org/labkey/api/security/Directive.java
@@ -27,6 +27,7 @@ public enum Directive implements StartupProperty, SafeToRenderEnum
     Connection("connect-src", "Sources for fetch/XHR requests"),
     Font("font-src", "Sources for fonts"),
     Frame("frame-src", "Sources for iframes"),
+    FrameAncestors("frame-ancestors", "Parent hosts allowed to embed this site's resources in an <iframe>, etc."),
     Image("image-src", "Sources for images"),
     Object("object-src", "Sources for objects"), // Issue 53226
     Script("script-src", "Sources for scripts"),
diff --git a/api/src/org/labkey/filters/ContentSecurityPolicyFilter.java b/api/src/org/labkey/filters/ContentSecurityPolicyFilter.java
index 7ac3a26a131..987b2d7a4df 100644
--- a/api/src/org/labkey/filters/ContentSecurityPolicyFilter.java
+++ b/api/src/org/labkey/filters/ContentSecurityPolicyFilter.java
@@ -86,7 +86,7 @@ public class ContentSecurityPolicyFilter implements Filter
     // Per-filter-instance parameters that are set in init() and never changed
     private ContentSecurityPolicyType _type = ContentSecurityPolicyType.Enforce;
     private @NotNull String _cspVersion = "Unknown";
-    // These two are effectively @NotNull since they are set to non-null values in init() and never changed
+    // This is effectively @NotNull since it's set to non-null values in init() and never changed
     private String _stashedTemplate = null;
 
     // We can't set this statically because the class is referenced before URLProviders are available
@@ -208,13 +208,10 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
     {
         if (request instanceof HttpServletRequest req && response instanceof HttpServletResponse resp)
         {
-            StringExpression expression = ensurePolicyExpression();
+            String csp = getSubstitutedCsp(req);
 
-            if (getType() != ContentSecurityPolicyType.Enforce || !OptionalFeatureService.get().isFeatureEnabled(FEATURE_FLAG_DISABLE_ENFORCE_CSP))
+            if (csp != null)
             {
-                Map<String, String> map = Map.of(NONCE_SUBST, getScriptNonceHeader(req));
-                String csp = expression.eval(map);
-
                 if ("https".equals(req.getScheme()))
                 {
                     if (resp.getHeader(REPORTING_ENDPOINTS_HEADER) == null)
@@ -228,6 +225,26 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
         chain.doFilter(request, response);
     }
 
+    private String getSubstitutedCsp(HttpServletRequest req)
+    {
+        StringExpression expression = ensurePolicyExpression();
+
+        if (getType() != ContentSecurityPolicyType.Enforce || !OptionalFeatureService.get().isFeatureEnabled(FEATURE_FLAG_DISABLE_ENFORCE_CSP))
+        {
+            Map<String, String> map = Map.of(NONCE_SUBST, getScriptNonceHeader(req));
+            String csp = expression.eval(map);
+
+            if ("https".equals(req.getScheme()))
+            {
+                csp = csp + " report-to csp-report ;";
+            }
+
+            return csp;
+        }
+
+        return null;
+    }
+
     public ContentSecurityPolicyType getType()
     {
         return _type;
@@ -347,6 +364,18 @@ public static boolean hasCsp(ContentSecurityPolicyType type)
         return CSP_FILTERS.get(type) != null;
     }
 
+    public static @Nullable String getStashedTemplate(ContentSecurityPolicyType type)
+    {
+        var filter = CSP_FILTERS.get(type);
+        return filter != null ? filter._stashedTemplate : null;
+    }
+
+    public static @Nullable String getSubstitutedCsp(ContentSecurityPolicyType type, HttpServletRequest req)
+    {
+        var filter = CSP_FILTERS.get(type);
+        return filter != null ? filter.getSubstitutedCsp(req) : null;
+    }
+
     public static @NotNull String getCspVersion(@Nullable String disposition)
     {
         if (disposition != null)
diff --git a/core/src/org/labkey/core/admin/AdminController.java b/core/src/org/labkey/core/admin/AdminController.java
index b4da6864ac2..6321899f089 100644
--- a/core/src/org/labkey/core/admin/AdminController.java
+++ b/core/src/org/labkey/core/admin/AdminController.java
@@ -317,8 +317,8 @@
 import org.labkey.api.view.ViewContext;
 import org.labkey.api.view.ViewServlet;
 import org.labkey.api.view.WebPartView;
-import org.labkey.api.view.template.EmptyView;
 import org.labkey.api.view.template.ClientDependency;
+import org.labkey.api.view.template.EmptyView;
 import org.labkey.api.view.template.PageConfig;
 import org.labkey.api.view.template.PageConfig.Template;
 import org.labkey.api.wiki.WikiRendererType;
@@ -343,6 +343,7 @@
 import org.labkey.core.security.SecurityController;
 import org.labkey.data.xml.TablesDocument;
 import org.labkey.filters.ContentSecurityPolicyFilter;
+import org.labkey.filters.ContentSecurityPolicyFilter.ContentSecurityPolicyType;
 import org.labkey.security.xml.GroupEnumType;
 import org.labkey.vfs.FileLike;
 import org.springframework.mock.web.MockHttpServletResponse;
@@ -427,9 +428,10 @@
 import static org.labkey.api.util.DOM.IMG;
 import static org.labkey.api.util.DOM.LI;
 import static org.labkey.api.util.DOM.P;
+import static org.labkey.api.util.DOM.PRE;
 import static org.labkey.api.util.DOM.SPAN;
-import static org.labkey.api.util.DOM.STYLE;
 import static org.labkey.api.util.DOM.STRONG;
+import static org.labkey.api.util.DOM.STYLE;
 import static org.labkey.api.util.DOM.TABLE;
 import static org.labkey.api.util.DOM.TD;
 import static org.labkey.api.util.DOM.TH;
@@ -11587,6 +11589,18 @@ public ModelAndView getView(ExternalSourcesForm form, boolean reshow, BindExcept
         {
             boolean isTroubleshooter = !getContainer().hasPermission(getUser(), ApplicationAdminPermission.class);
 
+            String template = formatCsp(ContentSecurityPolicyFilter.getStashedTemplate(ContentSecurityPolicyType.Enforce), "No enforce CSP is present!");
+            String substituted = formatCsp(ContentSecurityPolicyFilter.getSubstitutedCsp(ContentSecurityPolicyType.Enforce, getViewContext().getRequest()), "Enforce CSP is disabled!");
+            HtmlView csps = new HtmlView("Current Enforce CSP",
+                TABLE(
+                    TR(
+                        TH(STRONG("With Substitution Placeholders")), TH(STRONG("With Substituted Values"))
+                    ),
+                    TR(
+                        TD(at(style, "padding-right: 20px;"), PRE(template)), TD(PRE(substituted))
+                    )
+                )
+            );
             JspView<ExternalSourcesForm> newView = new JspView<>("/org/labkey/core/admin/addNewExternalSource.jsp", form, errors);
             newView.setTitle(isTroubleshooter ? "Overview" : "Register New External Resource Host");
             newView.setFrame(WebPartView.FrameType.PORTAL);
@@ -11594,7 +11608,22 @@ public ModelAndView getView(ExternalSourcesForm form, boolean reshow, BindExcept
             existingView.setTitle("Existing External Resource Hosts");
             existingView.setFrame(WebPartView.FrameType.PORTAL);
 
-            return new VBox(newView, existingView);
+            return new VBox(csps, newView, existingView);
+        }
+
+        private String formatCsp(@Nullable String csp, String defaultValue)
+        {
+            if (csp != null)
+            {
+                csp = csp.replace("frame-ancestors", "\nframe-ancestors");
+                return Arrays.stream(csp.split(";"))
+                    .map(String::trim)
+                    .collect(Collectors.joining(" ;\n"));
+            }
+            else
+            {
+                return defaultValue;
+            }
         }
 
         private static final Object HOST_LOCK = new Object();

From 3ad8089d631fb42927d29f1888923cf60a648122 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Wed, 3 Jun 2026 12:47:44 -0700
Subject: [PATCH 2/3] Add test. Fix double report-to directive. More reliable
 detection of "${UPGRADE.INSECURE.REQUESTS}" for formatting.

---
 .../filters/ContentSecurityPolicyFilter.java  | 21 +++++++++++++++----
 .../labkey/core/admin/AdminController.java    |  5 ++++-
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/api/src/org/labkey/filters/ContentSecurityPolicyFilter.java b/api/src/org/labkey/filters/ContentSecurityPolicyFilter.java
index 987b2d7a4df..0ed280795d3 100644
--- a/api/src/org/labkey/filters/ContentSecurityPolicyFilter.java
+++ b/api/src/org/labkey/filters/ContentSecurityPolicyFilter.java
@@ -212,11 +212,9 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
 
             if (csp != null)
             {
-                if ("https".equals(req.getScheme()))
+                if ("https".equals(req.getScheme()) && resp.getHeader(REPORTING_ENDPOINTS_HEADER) == null)
                 {
-                    if (resp.getHeader(REPORTING_ENDPOINTS_HEADER) == null)
-                        resp.addHeader(REPORTING_ENDPOINTS_HEADER, _reportingEndpointsHeaderValue);
-                    csp = csp + " report-to csp-report ;";
+                    resp.addHeader(REPORTING_ENDPOINTS_HEADER, _reportingEndpointsHeaderValue);
                 }
 
                 resp.setHeader(getType().getHeaderName(), csp);
@@ -594,6 +592,21 @@ public void testSubstitutionMap()
                     verifySubstitutionInPolicyExpressions("'none'", 0);
                     verifySubstitutionInPolicyExpressions("ObjectSource", 1);
                     verifySubstitutionInPolicyExpressions("BetterObjectStore", 1);
+
+                    unregisterAllowedSources("frameancestors", Directive.FrameAncestors);
+                    registerAllowedSources("frameancestors", Directive.FrameAncestors, "AncestorSource", "AnotherAncestor");
+                    assertEquals(7, ALLOWED_SOURCES.size());
+                    verifySubstitutionMapSize(5);
+                    // frame-ancestors is enforce-only (absent from the report CSP template), so check the substitution map directly
+                    String ancestorKey = Directive.FrameAncestors.getSubstitutionKey();
+                    assertTrue(SUBSTITUTION_MAP.get(ancestorKey).contains("AncestorSource"));
+                    assertTrue(SUBSTITUTION_MAP.get(ancestorKey).contains("AnotherAncestor"));
+                    unregisterAllowedSources("frameancestors", Directive.FrameAncestors);
+                    assertEquals(7, ALLOWED_SOURCES.size()); // Entry still exists but should be empty
+                    assertTrue(ALLOWED_SOURCES.get(Directive.FrameAncestors).isEmpty());
+                    verifySubstitutionMapSize(4); // Back to the way it was
+                    verifySubstitutionInPolicyExpressions("AncestorSource", 0);
+                    verifySubstitutionInPolicyExpressions("AnotherAncestor", 0);
                 }
                 finally
                 {
diff --git a/core/src/org/labkey/core/admin/AdminController.java b/core/src/org/labkey/core/admin/AdminController.java
index 6321899f089..e5a3dc9f11e 100644
--- a/core/src/org/labkey/core/admin/AdminController.java
+++ b/core/src/org/labkey/core/admin/AdminController.java
@@ -11611,11 +11611,14 @@ public ModelAndView getView(ExternalSourcesForm form, boolean reshow, BindExcept
             return new VBox(csps, newView, existingView);
         }
 
+        private static final String UPGRADE_INSECURE_REQUESTS = "${UPGRADE.INSECURE.REQUESTS}";
+
         private String formatCsp(@Nullable String csp, String defaultValue)
         {
             if (csp != null)
             {
-                csp = csp.replace("frame-ancestors", "\nframe-ancestors");
+                // There's no semicolon at the end of this substitution, but we want it to show it on its own line
+                csp = csp.replace(UPGRADE_INSECURE_REQUESTS + " ", UPGRADE_INSECURE_REQUESTS + "\n");
                 return Arrays.stream(csp.split(";"))
                     .map(String::trim)
                     .collect(Collectors.joining(" ;\n"));

From 6984afccb5ad3659bfa7f44e7ed2065db069671e Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Wed, 3 Jun 2026 12:54:39 -0700
Subject: [PATCH 3/3] Correct JavaDoc

---
 api/src/org/labkey/api/security/Directive.java | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/api/src/org/labkey/api/security/Directive.java b/api/src/org/labkey/api/security/Directive.java
index 3f10b07f926..b0acc73b432 100644
--- a/api/src/org/labkey/api/security/Directive.java
+++ b/api/src/org/labkey/api/security/Directive.java
@@ -19,8 +19,9 @@
 import org.labkey.api.util.SafeToRenderEnum;
 
 /**
- * All CSP directives that support substitutions. These constant names are persisted to the database, so be careful with
- * any changes. If adding a Directive, make sure to add the corresponding substitutions in LabKeyServer baseCsp.
+ * All CSP directives that support substitutions. These constant names are persisted to the database, so be careful
+ * with any changes. If adding a Directive, make sure to add the corresponding substitutions to the appropriate CSP
+ * template(s) in LabKeyServer.
  */
 public enum Directive implements StartupProperty, SafeToRenderEnum
 {