Polish content security policy contribution

See gh-7373
See gh-7373

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java

@@ -175,15 +175,17 @@ public class SecurityProperties implements SecurityPrerequisite {
 		}
 
 		public enum ContentSecurityPolicyMode {
+
 			/**
-			 * Use the {@code Content-Security-Policy} header.
+			 * Use the 'Content-Security-Policy' header.
 			 */
 			DEFAULT,
 
 			/**
-			 * Use the {@code Content-Security-Policy-Report-Only} header.
+			 * Use the 'Content-Security-Policy-Report-Only' header.
 			 */
 			REPORT_ONLY
+
 		}
 
 		/**
@@ -212,7 +214,7 @@ public class SecurityProperties implements SecurityPrerequisite {
 		private String contentSecurityPolicy;
 
 		/**
-		 * Whether to use the "Content-Security-Policy" or "Content-Security-Policy-Report-Only" header.
+		 * Security policy mode.
 		 */
 		private ContentSecurityPolicyMode contentSecurityPolicyMode = ContentSecurityPolicyMode.DEFAULT;
 
@@ -265,7 +267,8 @@ public class SecurityProperties implements SecurityPrerequisite {
 			return this.contentSecurityPolicyMode;
 		}
 
-		public void setContentSecurityPolicyMode(ContentSecurityPolicyMode contentSecurityPolicyMode) {
+		public void setContentSecurityPolicyMode(
+				ContentSecurityPolicyMode contentSecurityPolicyMode) {
 			this.contentSecurityPolicyMode = contentSecurityPolicyMode;
 		}
 

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java

@@ -29,6 +29,7 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.security.SecurityProperties.Headers;
+import org.springframework.boot.autoconfigure.security.SecurityProperties.Headers.ContentSecurityPolicyMode;
 import org.springframework.boot.autoconfigure.web.ErrorController;
 import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
@@ -109,12 +110,13 @@ public class SpringBootWebSecurityConfiguration {
 			configurer.contentTypeOptions().disable();
 		}
 		if (StringUtils.hasText(headers.getContentSecurityPolicy())) {
-			if (headers.getContentSecurityPolicyMode() == Headers.ContentSecurityPolicyMode.DEFAULT) {
+			String policyDirectives = headers.getContentSecurityPolicy();
-				configurer.contentSecurityPolicy(headers.getContentSecurityPolicy());
+			ContentSecurityPolicyMode mode = headers.getContentSecurityPolicyMode();
+			if (mode == ContentSecurityPolicyMode.DEFAULT) {
+				configurer.contentSecurityPolicy(policyDirectives);
 			}
 			else {
-				assert headers.getContentSecurityPolicyMode() == Headers.ContentSecurityPolicyMode.REPORT_ONLY;
+				configurer.contentSecurityPolicy(policyDirectives).reportOnly();
-				configurer.contentSecurityPolicy(headers.getContentSecurityPolicy()).reportOnly();
 			}
 		}
 		if (!headers.isXss()) {

spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java

@@ -214,7 +214,8 @@ public class SpringBootWebSecurityConfigurationTests {
 						is(notNullValue())))
 				.andExpect(MockMvcResultMatchers.header().string("X-Frame-Options",
 						is(notNullValue())))
-				.andExpect(MockMvcResultMatchers.header().doesNotExist("Content-Security-Policy"));
+				.andExpect(MockMvcResultMatchers.header()
+						.doesNotExist("Content-Security-Policy"));
 	}
 
 	@Test
@@ -250,9 +251,10 @@ public class SpringBootWebSecurityConfigurationTests {
 						.getBean("springSecurityFilterChain", Filter.class))
 				.build();
 		mockMvc.perform(MockMvcRequestBuilders.get("/"))
-				.andExpect(MockMvcResultMatchers.header().string("Content-Security-Policy",
+				.andExpect(MockMvcResultMatchers.header()
-						is("default-src 'self';")))
+						.string("Content-Security-Policy", is("default-src 'self';")))
-				.andExpect(MockMvcResultMatchers.header().doesNotExist("Content-Security-Policy-Report-Only"));
+				.andExpect(MockMvcResultMatchers.header()
+						.doesNotExist("Content-Security-Policy-Report-Only"));
 	}
 
 	@Test
@@ -266,9 +268,10 @@ public class SpringBootWebSecurityConfigurationTests {
 						.getBean("springSecurityFilterChain", Filter.class))
 				.build();
 		mockMvc.perform(MockMvcRequestBuilders.get("/"))
-				.andExpect(MockMvcResultMatchers.header().string("Content-Security-Policy-Report-Only",
+				.andExpect(MockMvcResultMatchers.header().string(
-						is("default-src 'self';")))
+						"Content-Security-Policy-Report-Only", is("default-src 'self';")))
-				.andExpect(MockMvcResultMatchers.header().doesNotExist("Content-Security-Policy"));
+				.andExpect(MockMvcResultMatchers.header()
+						.doesNotExist("Content-Security-Policy"));
 	}
 
 	@Configuration