• Allowed External Redirect Hosts
• Allowed External Resource Hosts

External Redirect Hosts

For security reasons, LabKey Server restricts the host names that can be used in returnUrl parameters. By default, only redirects to the same LabKey instance are allowed. Other server host names must be specifically granted access to allow them to be automatically redirected.

For more information on the security concern, please refer to the OWASP advisory .

A site administrator can allow hosts based on the server name or IP address, based on how it will be referenced in the returnUrl parameter values.

Allowed External Resource Hosts

The Register New External Resource Host panel will show details about the specific CSP configured on this server. Learn more here: Content Security Policy.

The standard LabKey CSP restricts hosts that browsers can use as resource origins. By default, only sources from this server are allowed; other server hosts must be configured below to enable them to be used as external sources. All provided hosts are added into the CSP using the ${} substitution key shown next to each directive.

As one example, a "connect-src" directive would be needed to support a script tag like the following in an page or wiki:

<script src="www.externalserver.com/script.js" />

To allow a resource, pick a directive and add the associated hostname or IP address, for example: www.myexternalhost.com or 1.2.3.4.

External sites added as sources will be allowed as elements in the content security policy, making it possible for clients to avoiding needing a custom CSP for allowing these sources.

Find examples in that topic.

Related Topics

• LabKey URLs
• Set Application Properties