fix: really enable use of CSP hashes for styles

It has turned out that hashes don't work alone and requires 'unsafe-hashes' directive. Here is the
error from Chrome:

Either the 'unsafe-inline' keyword, a hash ('sha256-tIs8OfjWm8MHgPJrHv7mM4wvA/FDFcra3Pd5icRMX+k='),
or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to
event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

Part of #226

Author: php-coder

src/main/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriter.java

@@ -179,22 +179,30 @@ protected String constructDirectives(String uri) {
 		  .append(REPORT_URI).append(host).append(SiteUrl.CSP_REPORTS_HANDLER).append(SEPARATOR)
 		  .append(STYLE_SRC).append(useSingleHost ? STYLES_SELF : STYLES_ALT);
 
+		boolean hasHashes = false;
 		if (useCdn) {
 			sb.append(' ').append(STYLES_CDN);
 		}
 
 		if (onCollectionInfoPage) {
 			sb.append(STYLE_COLLECTION_INFO);
+			hasHashes = true;
 
 		} else if (uri.matches(ADD_IMAGE_PAGE_PATTERN)) {
 			sb.append(STYLE_SERIES_ADD_IMAGE);
+			hasHashes = true;
 
 			if (onAddSeriesPage) {
 				sb.append(STYLE_SERIES_ADD_PAGE);
 			}
 
 		} else if (onH2ConsolePage) {
 			sb.append(STYLE_H2_CONSOLE);
+			hasHashes = true;
+		}
+		
+		if (hasHashes) {
+			sb.append(" 'unsafe-hashes'");
 		}
 
 		sb.append(SEPARATOR)

src/test/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriterTest.java

@@ -154,6 +154,7 @@ public void onCollectionInfoPageWithLocalResources() {
 					+ " 'self'"
 					+ " https://www.gstatic.com"
 					+ " 'sha256-/kXZODfqoc2myS1eI6wr0HH8lUt+vRhW8H/oL+YJcMg='"
+					+ " 'unsafe-hashes'"
 			)
 			.contains(
 				"script-src"
@@ -186,6 +187,7 @@ public void onCollectionInfoPageWithResourcesFromCdn() {
 					+ " https://maxcdn.bootstrapcdn.com"
 					+ " https://www.gstatic.com"
 					+ " 'sha256-/kXZODfqoc2myS1eI6wr0HH8lUt+vRhW8H/oL+YJcMg='"
+					+ " 'unsafe-hashes'"
 			)
 			.contains(
 				"script-src"
@@ -220,6 +222,7 @@ public void onSeriesAddImagePageWithLocalResources() {
 						+ " https://cdn.jsdelivr.net"
 						+ " 'self'"
 						+ " 'sha256-DpmxvnMJIlwkpmmAANZYNzmyfnX2PQCBDO4CB2BFjzU='"
+						+ " 'unsafe-hashes'"
 				)
 				.contains("connect-src 'self'")
 				// hope that all other directives are the same as on the index page
@@ -248,6 +251,7 @@ public void onSeriesAddImagePageWithResourcesFromCdn() {
 						+ " https://stamps.filezz.ru"
 						+ " https://maxcdn.bootstrapcdn.com"
 						+ " 'sha256-DpmxvnMJIlwkpmmAANZYNzmyfnX2PQCBDO4CB2BFjzU='"
+						+ " 'unsafe-hashes'"
 				)
 				.contains(
 					"script-src"
@@ -283,6 +287,7 @@ public void onSeriesAddPageWithLocalResources() {
 					+ " 'self'"
 					+ " 'sha256-DpmxvnMJIlwkpmmAANZYNzmyfnX2PQCBDO4CB2BFjzU='"
 					+ " https://cdnjs.cloudflare.com"
+					+ " 'unsafe-hashes'"
 			)
 			.contains(
 				"script-src"
@@ -316,6 +321,7 @@ public void onSeriesAddPageWithResourcesFromCdn() {
 					+ " https://maxcdn.bootstrapcdn.com"
 					+ " 'sha256-DpmxvnMJIlwkpmmAANZYNzmyfnX2PQCBDO4CB2BFjzU='"
 					+ " https://cdnjs.cloudflare.com"
+					+ " 'unsafe-hashes'"
 			)
 			.contains(
 				"script-src"
@@ -357,6 +363,7 @@ public void onH2ConsoleWithLocalResources() {
 					+ " 'sha256-yBhVF062O1IGu3ZngyEhh9l561VFLsJpdSxVtbwisRY='"
 					+ " 'sha256-RZ7vfNSfdJtvDeBSz2SI5g3wroaD1A1SzsDb04Yw9V0='"
 					+ " 'sha256-PGJ8tjuz2DXGgB1Sie9pW8BrxBGK6EQndbLEkXd44T8='"
+					+ " 'unsafe-hashes'"
 			)
 			.contains("child-src 'self'")
 			// hope that all other directives are the same as on the index page