A couple more CSP enhancements (#1112)

Author: labkey-adam

server/configs/application.properties

@@ -46,6 +46,7 @@ context.encryptionKey=@@encryptionKey@@
 
 ## By default, we serve LabKey at the root context path (e.g. http://localhost:8080)
 ## You may customize the context path if you wish (e.g. http://localhost:8080/labkey)
+## The context path value must start with a slash
 #context.contextPath=@@contextPath@@
 
 ## Using a legacy context path provides backwards compatibility with old deployments. A typical use case would be to

server/embedded/build.gradle

@@ -161,7 +161,7 @@ project.publishing {
             artifact project.tasks.bootJar.outputs.files.singleFile
             pom {
                 name = "LabKey Server Embedded"
-                description = "LabKey classes for producing distributions with embedded TomCat."
+                description = "Embedded Tomcat, Spring Boot, and the LabKey classes that configure these components"
                 developers PomFileHelper.getLabKeyTeamDevelopers()
                 licenses PomFileHelper.getApacheLicense()
                 organization PomFileHelper.getLabKeyOrganization()

server/embedded/src/org/labkey/embedded/LabKeyServer.java

@@ -46,7 +46,7 @@ public static void main(String[] args)
             return;
         }
 
-        // Issue 40038: Ride-or-die Mode - default to shutting down by default in embedded deployment scenario
+        // Issue 40038: Ride-or-die Mode - default to shutting down by default
         if (System.getProperty(TERMINATE_ON_STARTUP_FAILURE) == null)
         {
             System.setProperty(TERMINATE_ON_STARTUP_FAILURE, "true");
@@ -71,7 +71,7 @@ public static void main(String[] args)
         String baseCsp = """
                 default-src 'self' ;
                 connect-src 'self' ${CONNECTION.SOURCES} ;
-                object-src 'none' ;
+                object-src ${OBJECT.SOURCES} ;  /* Substitution value defaults to 'none' unless overridden by an admin */
                 style-src 'self' 'unsafe-inline' ${STYLE.SOURCES} ;
                 img-src 'self' data: ${IMAGE.SOURCES} ;
                 font-src 'self' data: ${FONT.SOURCES} ;
@@ -871,5 +871,4 @@ public void setKeyStore(String keyStore)
             this.keyStore = keyStore;
         }
     }
-
 }

server/embedded/src/org/labkey/embedded/LabKeyTomcatServletWebServerFactory.java

@@ -275,7 +275,7 @@ private void addContextProperty(StandardContext context, String value, String na
         }
     }
 
-    // Issue 48565: allow for JSON-formatted access logs in embedded tomcat
+    // Issue 48565: allow for JSON-formatted access logs
     private void configureJsonAccessLogging(Tomcat tomcat, LabKeyServer.JsonAccessLog logConfig)
     {
         var v = new JsonAccessLogValve();