safeweb: add opt-in inline style CSP toggle (#11551)

Allow the use of inline styles with safeweb via an opt-in configuration
item. This will append `style-src "self" "unsafe-inline"` to the default
CSP. The `style-src` directive will be used in lieu of the fallback
`default-src "self"` directive.

Updates tailscale/corp#8027

Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>

safeweb/http_test.go

@@ -6,6 +6,8 @@ package safeweb
 import (
 	"net/http"
 	"net/http/httptest"
+	"strconv"
+	"strings"
 	"testing"
 
 	"github.com/gorilla/csrf"
@@ -364,3 +366,29 @@ func TestRefererPolicy(t *testing.T) {
 		})
 	}
 }
+
+func TestCSPAllowInlineStyles(t *testing.T) {
+	for _, allow := range []bool{false, true} {
+		t.Run(strconv.FormatBool(allow), func(t *testing.T) {
+			h := &http.ServeMux{}
+			h.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.Write([]byte("ok"))
+			}))
+			s, err := NewServer(Config{BrowserMux: h, CSPAllowInlineStyles: allow})
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			req := httptest.NewRequest("GET", "/", nil)
+			w := httptest.NewRecorder()
+			s.h.Handler.ServeHTTP(w, req)
+			resp := w.Result()
+
+			csp := resp.Header.Get("Content-Security-Policy")
+			allowsStyles := strings.Contains(csp, "style-src 'self' 'unsafe-inline'")
+			if allowsStyles != allow {
+				t.Fatalf("CSP inline styles want: %v; got: %v", allow, allowsStyles)
+			}
+		})
+	}
+}