HttpExtension: allow setup CSP in report only mode

[PavelJurasek]

• bug fix? no
• new feature? yes
• BC break? no
• doc PR: will do if accepted

CSP can now be enabled in report only mode. PR to nette/application will be sent in just a minute.

[dg]

The question is whether it makes sense to use the headers Content-Security-Policy and Content-Security-Policy-Report-Only (with different settings) together?

I think it has, a Report-Only header can be used to test a future revision to a policy without actually deploying it.

[PavelJurasek]

This commit allows only one of them to be enabled at a time. But I can actually see a case when I have a CSP policy and I want to experiment with more strict policy via Report only at the same time.

[dg]

It would be better to add something like csp-report or csp-report-only section.

[PavelJurasek]

In order to support both of them at the same time? I don't need this functionality at the moment, so maybe opening an issue with this feature description just to keep track of it would be enough for now?

[dg]

It is good to think ahead. Will be possible to implement support for both header in a way that will co-exist with this solution?