task: configure CSP to allow JavaScript from unpkg.com on series info page.

Addressed to #1056 and #1057

No functional changes.

Author: php-coder

src/main/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriter.java

@@ -137,6 +137,9 @@ class ContentSecurityPolicyHeaderWriter implements HeaderWriter {
 	// - 'https://cdnjs.cloudflare.com' is required by selectize.bootstrap3.min.css
 	private static final String SCRIPTS_SERIES_ADD_PAGE = " https://cdnjs.cloudflare.com";
 
+	// - 'https://unpkg.com' is required by react/react-dom
+	private static final String SCRIPTS_SERIES_INFO_PAGE = " https://unpkg.com";
+	
 	// - 'unsafe-eval' is required by loader.js from Google Charts
 	// - 'https://www.gstatic.com' is required by Google Charts
 	private static final String SCRIPT_COLLECTION_INFO = " 'unsafe-eval' https://www.gstatic.com";
@@ -214,8 +217,9 @@ protected String constructDirectives(String uri) {
 			sb.append(SEPARATOR)
 			  .append(CHILD_SRC);
 		} else if (SERIES_INFO_PAGE_PATTERN.matcher(uri).matches()) {
-			// anonymous and users without a required authority actually don't need this directive
-			sb.append(SEPARATOR)
+			// anonymous and users without a required authority actually don't need these directives
+			sb.append(SCRIPTS_SERIES_INFO_PAGE)
+			  .append(SEPARATOR)
 			  .append(CONNECT_SRC);
 		}
 

src/test/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriterTest.java

@@ -246,6 +246,18 @@ public void onSeriesAddImagePageWithResourcesFromCdn() {
 				)
 			);
 
+			assertThat(
+				directives,
+				hasItemInArray(
+					"script-src "
+						+ "'unsafe-inline' "
+						+ "https://stamps.filezz.ru "
+						+ "https://maxcdn.bootstrapcdn.com "
+						+ "https://yandex.st "
+						+ "https://unpkg.com"
+				)
+			);
+			
 			assertThat(directives, hasItemInArray("connect-src 'self'"));
 
 			// hope that all other directives are the same as on the index page