• External Redirect Hosts
• External Allowed Sources

External Redirect Hosts

For security reasons, LabKey Server restricts the host names that can be used in returnUrl parameters. By default, only redirects to the same LabKey instance are allowed. Other server host names must be specifically granted access to allow them to be automatically redirected.

For more information on the security concern, please refer to the OWASP advisory .

A site administrator can allow hosts based on the server name or IP address, based on how it will be referenced in the returnUrl parameter values.

To add an External Redirect Host URL to the approved list:

• Go to > Site > Admin Console.
• Under Configuration click External Redirect Hosts.
• In the Host field enter an approved URL and click Save.
• URLs already granted access are added to the list under Existing External Redirect Hosts.
• You can directly edit and save the list of existing redirect URLs if necessary.

External Allowed Sources

For security reasons, LabKey Server restricts the hosts that can be used as resource origins. Learn more about this security concern, here: OWASP cheat sheet.

By default, only LabKey sources are allowed, other server URLs must be configured on this page to enable them to be used as script sources. As one example, an external source might be needed to support a script tag like the following in an page or wiki:

<script src="www.myexternalhost.com/script.js" />

Add allowed source URLs or IP address as they will be referenced in connections from external servers. For example: www.myexternalhost.com or 1.2.3.4:

External sites added as sources will be allowed as "connection-src" elements in the content security policy, making it possible for clients to avoiding needing a custom CSP for allowing these sources.

Related Topics

• LabKey URLs
• Set Application Properties