chore: add feature flag to disable Content-Security-Policy report mode.

Address to #226

Author: php-coder

pom.xml

@@ -466,6 +466,13 @@
 			<scope>test</scope>
 		</dependency>
 
+		<dependency>
+			<groupId>org.togglz</groupId>
+			<artifactId>togglz-junit</artifactId>
+			<version>${togglz.version}</version>
+			<scope>test</scope>
+		</dependency>
+		
 		<dependency>
 			<groupId>org.togglz</groupId>
 			<artifactId>togglz-testing</artifactId>

src/main/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriter.java

@@ -22,6 +22,7 @@
 import ru.mystamps.web.feature.collection.CollectionUrl;
 import ru.mystamps.web.feature.series.SeriesUrl;
 import ru.mystamps.web.feature.site.SiteUrl;
+import ru.mystamps.web.support.togglz.Features;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -34,6 +35,9 @@
 @RequiredArgsConstructor
 class ContentSecurityPolicyHeaderWriter implements HeaderWriter {
 
+	private static final String CSP_HEADER             = "Content-Security-Policy";
+	private static final String CSP_REPORT_ONLY_HEADER = "Content-Security-Policy-Report-Only";
+	
 	private static final String COLLECTION_INFO_PAGE_PATTERN =
 		CollectionUrl.INFO_COLLECTION_PAGE.replace("{slug}", "");
 
@@ -165,7 +169,8 @@ class ContentSecurityPolicyHeaderWriter implements HeaderWriter {
 	@Override
 	public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
 		String uri = request.getRequestURI();
-		response.setHeader("Content-Security-Policy-Report-Only", constructDirectives(uri));
+		String header = Features.CSP_REPORT_ONLY.isActive() ? CSP_REPORT_ONLY_HEADER : CSP_HEADER;
+		response.setHeader(header, constructDirectives(uri));
 	}
 
 	@SuppressWarnings({ "PMD.NPathComplexity", "PMD.ModifiedCyclomaticComplexity" })

src/main/java/ru/mystamps/web/support/togglz/Features.java

@@ -34,7 +34,11 @@ public enum Features implements Feature {
 	USE_COUNTRY_MICROSERVICE,
 
 	@Label("/site/index: feature to check that Togglz works")
-	ALWAYS_DISABLED;
+	ALWAYS_DISABLED,
+	
+	@Label("Use Content-Security-Policy-Report-Only header instead of Content-Security-Policy")
+	@EnabledByDefault
+	CSP_REPORT_ONLY;
 
 	public boolean isActive() {
 		return FeatureContext.getFeatureManager().isActive(this);

src/test/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriterTest.java

@@ -18,10 +18,13 @@
 package ru.mystamps.web.support.spring.security;
 
 import org.assertj.core.api.WithAssertions;
+import org.junit.Rule;
 import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
+import org.togglz.junit.TogglzRule;
 import ru.mystamps.web.feature.site.SiteUrl;
+import ru.mystamps.web.support.togglz.Features;
 import ru.mystamps.web.tests.Random;
 
 import javax.servlet.http.HttpServletRequest;
@@ -36,22 +39,35 @@ public class ContentSecurityPolicyHeaderWriterTest implements WithAssertions {
 	private static final int NUMBER_OF_DIRECTIVES_ON_INFO_SERIES_PAGE = 7;
 	private static final int NUMBER_OF_DIRECTIVES_ON_H2_CONSOLE_PAGE = 7;
 
+	@Rule
+	public TogglzRule togglz = TogglzRule.allEnabled(Features.class);
+	
 	//
 	// Tests for writeHeaders()
 	//
 
 	@Test
 	public void writeContentSecurityPolicyHeader() {
+		// given
 		ContentSecurityPolicyHeaderWriter writer =
 			new ContentSecurityPolicyHeaderWriter(bool(), bool(), bool(), Random.host());
-		
 		HttpServletRequest request = new MockHttpServletRequest();
 		HttpServletResponse response = new MockHttpServletResponse();
+
+		// when
 		writer.writeHeaders(request, response);
-		
+		// then
 		String header = response.getHeader("Content-Security-Policy-Report-Only");
 		assertThat(header).isNotNull();
 		assertThat(header.split(";")).hasSize(NUMBER_OF_DIRECTIVES_ON_STANDARD_PAGES);
+		
+		// when
+		togglz.disable(Features.CSP_REPORT_ONLY);
+		writer.writeHeaders(request, response);
+		// then
+		header = response.getHeader("Content-Security-Policy");
+		assertThat(header).isNotNull();
+		assertThat(header.split(";")).hasSize(NUMBER_OF_DIRECTIVES_ON_STANDARD_PAGES);
 	}
 
 	//