Spring Security Simplify Content-Security-Policy Configuration

With the removal of X-XSS-Protection, it would be nice to simplify adding Content-Security-Policy.

One way to do this is to turn on Content-Security-Policy-Report-Only by default. Spring Security could provide a simple reporting endpoint that publishes an ApplicationEvent when the policy is violated. Similar to DefaultLoginPageGeneratingFilter, this endpoint would likely be replaced, but would work for giving applications a head start on Content-Security-Policy.

Folks would change this behavior by setting the header themselves like so:

http.headers((headers) -> headers.contentSecurityPolicy())

The above would replace Content-Security-Policy-Report-Only: default-src 'self'; report-uri: /report-uri with Content-Security-Policy: default-src 'self'.

• [ ] Provide default endpoint for reporting violations
• [ ] Change default directive for report-only to report to default endpoint
• [ ] Make report-only setting the default