From 556e81360643abf578321c399aefd4bea8702033 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Wed, 11 Mar 2026 12:03:10 -0700
Subject: [PATCH 1/2] Remove CSP versions from headers and URLs

---
 server/embedded/src/org/labkey/embedded/LabKeyServer.java | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/server/embedded/src/org/labkey/embedded/LabKeyServer.java b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
index a464fa0bee..812cf2ffa8 100644
--- a/server/embedded/src/org/labkey/embedded/LabKeyServer.java
+++ b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
@@ -79,16 +79,17 @@ public static void main(String[] args)
                 script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ${SCRIPT.SOURCES} ;
                 base-uri 'self' ;
                 frame-src 'self' ${FRAME.SOURCES} ;
+                report-uri ${context.contextPath:}/admin-contentSecurityPolicyReport.api ;
             """;
         // Add upgrade_insecure_requests substitution, frame-ancestors, and enforce version
         String enforceCsp = baseCsp + """
                 ${UPGRADE.INSECURE.REQUESTS}
                 frame-ancestors 'self' ;
-                report-uri ${context.contextPath:}/admin-contentSecurityPolicyReport.api?cspVersion=e14 ;
+                /* cspVersion=e14 */
             """;
         // Leave out upgrade_insecure_requests and frame-ancestors directives, since they produce warnings on some browsers
         String reportCsp = baseCsp + """
-                report-uri ${context.contextPath:}/admin-contentSecurityPolicyReport.api?cspVersion=r14 ;
+                /* cspVersion=r14 */
             """;
 
         application.setDefaultProperties(new HashMap<>()

From 045bbcf37c9e69378916a4fb6febd036fb0e4d26 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Wed, 11 Mar 2026 12:14:24 -0700
Subject: [PATCH 2/2] Bump the CSP version since we changed it (trivially)

---
 server/embedded/src/org/labkey/embedded/LabKeyServer.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/embedded/src/org/labkey/embedded/LabKeyServer.java b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
index 812cf2ffa8..2dd374fc77 100644
--- a/server/embedded/src/org/labkey/embedded/LabKeyServer.java
+++ b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
@@ -85,11 +85,11 @@ public static void main(String[] args)
         String enforceCsp = baseCsp + """
                 ${UPGRADE.INSECURE.REQUESTS}
                 frame-ancestors 'self' ;
-                /* cspVersion=e14 */
+                /* cspVersion=e15 */
             """;
         // Leave out upgrade_insecure_requests and frame-ancestors directives, since they produce warnings on some browsers
         String reportCsp = baseCsp + """
-                /* cspVersion=r14 */
+                /* cspVersion=r15 */
             """;
 
         application.setDefaultProperties(new HashMap<>()