CSP: adjust configuration for using H2 web console.

Workaround for h2database/h2database#612

Addressed to #226

Author: php-coder

src/main/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriter.java

@@ -92,6 +92,34 @@ class ContentSecurityPolicyHeaderWriter implements HeaderWriter {
 		" 'sha256-biLFinpqYMtWHmXfkA1BPeCY0/fNt46SAZ+BBk5YUog='"
 		+ " 'sha256-zQDRfdePzsm4666fPPtpna61v74bryIt2Xu5qx2rn4A='";
 
+	// - 'sha256-biL...' is required for 'display: none;' inline CSS
+	// - 'sha256-ZdH...' is required for 'display: none' inline CSS
+	// - 'sha256-aqN...' is required for 'display:none' inline CSS
+	// - 'sha256-tIs...' is required for 'text-decoration: none;' inline CSS
+	// - 'sha256-VPM...' is required for 'vertical-align: middle;' inline CSS
+	// - 'sha256-CDs...' is required for 'padding:0px' inline CSS
+	// - 'sha256-65m...' is required for 'white-space:nowrap' inline CSS
+	// - 'sha256-xSK...' is required for 'margin: 0px; padding: 0px;' inline CSS
+	// - 'sha256-Jnn...' is required for 'padding:0;width:10px;height:10px;' inline CSS
+	// - 'sha256-yBh...' is required for 'margin: 20px' inline CSS
+	// - 'sha256-ec+...' is required for 'width:300px' inline CSS
+	// - 'sha256-rqk...' is required for 'width:300px;' inline CSS
+	// - 'sha256-PGJ...' is required for 'width:200px;' inline CSS
+	private static final String STYLE_H2_CONSOLE =
+		" 'sha256-biLFinpqYMtWHmXfkA1BPeCY0/fNt46SAZ+BBk5YUog='"
+		+ " 'sha256-ZdHxw9eWtnxUb3mk6tBS+gIiVUPE3pGM470keHPDFlE='"
+		+ " 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE='"
+		+ " 'sha256-tIs8OfjWm8MHgPJrHv7mM4wvA/FDFcra3Pd5icRMX+k='"
+		+ " 'sha256-VPm872V2JvE+vhivDg7UeH+N9a9YzzqGGow5mzY48hc='"
+		+ " 'sha256-CDs+xFw5uMoNgtE5XIrz5GXgs3O+/NFkYK2IK/vKSBE='"
+		+ " 'sha256-65mkwZPt4V1miqNM9CcVYkrpnlQigG9H6Vi9OM/JCgY='"
+		+ " 'sha256-xSKCQeN6yeCb4HCkijkjoBFHWdJFwmwDiFa3XlZZ6Bs='"
+		+ " 'sha256-JnnwE+8wsBgf/bh1qyvAsUVHBgiTioeZ1NSUKff7mOM='"
+		+ " 'sha256-yBhVF062O1IGu3ZngyEhh9l561VFLsJpdSxVtbwisRY='"
+		+ " 'sha256-eC+jXvbVSsG0J4zQfR5fWxxUCqpaa5DZLbINjWNCu48='"
+		+ " 'sha256-rqkMEwsWwrInJqctxmIaWOCFPV+Qmym3tMHH3wtq3Y0='"
+		+ " 'sha256-PGJ8tjuz2DXGgB1Sie9pW8BrxBGK6EQndbLEkXd44T8='";
+	
 	// - 'unsafe-inline' is required by jquery.min.js (that is using code inside of
 	// event handlers. We can't use hashing algorithms because they aren't supported
 	// for handlers. In future, we should get rid of jQuery or use
@@ -119,6 +147,9 @@ class ContentSecurityPolicyHeaderWriter implements HeaderWriter {
 	// - 'self' is required for AJAX requests from our scripts (country suggestions on /series/add)
 	private static final String CONNECT_SRC = "connect-src 'self'";
 
+	// - 'self' is required for frames on H2 webconsole
+	private static final String CHILD_SRC = "child-src 'self'";
+	
 	private static final char SEPARATOR = ';';
 
 	private static final int MIN_HEADER_LENGTH =
@@ -165,6 +196,9 @@ private String constructDirectives(String uri) {
 
 		} else if (uri.startsWith(TOGGLZ_PAGES_PATTERN)) {
 			sb.append(STYLE_TOGGLZ);
+		
+		} else if (uri.startsWith("/console/")) {
+			sb.append(STYLE_H2_CONSOLE);
 		}
 
 		sb.append(SEPARATOR)
@@ -179,6 +213,10 @@ private String constructDirectives(String uri) {
 			sb.append(SCRIPTS_SERIES_ADD_PAGE)
 			  .append(SEPARATOR)
 			  .append(CONNECT_SRC);
+		
+		} else if (uri.startsWith("/console/")) {
+			sb.append(SEPARATOR)
+			  .append(CHILD_SRC);
 		}
 
 		return sb.toString();

src/main/resources/application-test.properties

@@ -9,6 +9,8 @@ spring.datasource.initialize: false
 spring.h2.console.enabled: true
 spring.h2.console.path: /console
 security.basic.enabled: false
+# required for using /console with CSP because we have many hashes as a workaround
+server.max-http-header-size: 4096
 
 spring.mail.host: 127.0.0.1
 spring.mail.port: 1025