Release 2.2

- Align assets to recent HTML 5 Boilerplate 7.3.0
- New CPS unit to handle Content Security Policy Level 2 / Level 3
- Add TBoilerplateHTTPServer.ContentSecurityPolicyReportOnly property
- BoilerplateAssets content types normalization

.gitattributes

@@ -1,2 +1,3 @@
 * text=auto
 Tests/Assets/* binary
+Tests/pre-build.sh binary

Assets/css/main.css

@@ -1,4 +1,4 @@
-/*! HTML5 Boilerplate v7.2.0 | MIT License | https://html5boilerplate.com/ */
+/*! HTML5 Boilerplate v7.3.0 | MIT License | https://html5boilerplate.com/ */
 
 /* main.css 2.0.0 | MIT License | https://github.com/h5bp/main.css#readme */
 /*

BoilerplateAssets.pas

@@ -3,7 +3,7 @@
 unit BoilerplateAssets;
 
 (*
-  This file is a path of integration project between HTML5 Boilerplate and
+  This unit is a path of integration project between HTML5 Boilerplate and
   Synopse mORMot Framework.
 
     https://synopse.info
@@ -37,7 +37,10 @@
   - Kylix 3 support (over CrossKilyx)
 
   Version 2.1.1
-  - Fix TAsset.SaveIdentityToFile when Root is empty
+  - Fix TAsset.SaveIdentityToFile bug when Root is empty
+
+  Version 2.2
+  - Content types normalization
 *)
 
 interface
@@ -63,16 +66,16 @@ interface
     Path: RawUTF8;
     Modified: TDateTime;
     ContentType: RawUTF8;
-    Content: RawUTF8;
+    Content: RawByteString;
     Hash: Cardinal;
     // We cann't use array[TAssetEncoding] here due to TDynArrayHashed.SaveTo
     // limitations in old Delphi compilers: Delphi 2009 and below. That's why
     // the TAsset structure without nested arrays.
     GZipExists: Boolean;
-    GZipEncoding: RawUTF8;
+    GZipEncoding: RawByteString;
     GZipHash: Cardinal;
     BrotliExists: Boolean;
-    BrotliEncoding: RawUTF8;
+    BrotliEncoding: RawByteString;
     BrotliHash: Cardinal;
     function LoadFromFile(const Root, FileName: TFileName): Boolean;
     procedure SetEncoding(const Encoded: RawByteString;
@@ -97,7 +100,7 @@ interface
     Count: Integer;
     procedure Init;
     function Add(const Root, FileName: TFileName): PAsset;
-    procedure SaveToFile(const FileName: string);
+    procedure SaveToFile(const FileName: TFileName);
     procedure LoadFromFile(const FileName: TFileName);
     procedure LoadFromResource(const ResName: string);
     procedure SaveAll(const Root: TFileName = '';
@@ -427,11 +430,6 @@ procedure CreateDirectories(const FileName: TFileName);
   until False;
 end;
 
-function SortAssetByPath(const A, B): Integer;
-begin
-  Result := StrCompFast(Pointer(TAsset(A).Path), Pointer(TAsset(B).Path));
-end;
-
 { TAsset }
 
 function TAsset.LoadFromFile(const Root, FileName: TFileName): Boolean;
@@ -522,7 +520,7 @@ function TAsset.SaveToFile(const Root: TFileName;
   LModified: TDateTime;
   LSize: Int64;
   FileModified: Boolean;
-  FileContent: RawUTF8;
+  FileContent: RawByteString;
 
 begin
   case Encoding of
@@ -680,7 +678,7 @@ procedure TAssets.SaveAllIdentities(const Root: TFileName;
         SaveIdentityToFile(Root, ChecksNotModified);
 end;
 
-procedure TAssets.SaveToFile(const FileName: string);
+procedure TAssets.SaveToFile(const FileName: TFileName);
 begin
   FileFromString(AlgoSynLZ.Compress(FAssetsDAH.SaveTo), FileName);
 end;

BoilerplateHTTPServer.pas

@@ -3,7 +3,7 @@
 unit BoilerplateHTTPServer;
 
 (*
-  This file is a path of integration project between HTML5 Boilerplate and
+  This unit is a path of integration project between HTML5 Boilerplate and
   Synopse mORMot Framework.
 
     https://synopse.info
@@ -52,7 +52,6 @@
   - RegisterCustomOptions now supports URLs prefixes
 
   Version 2.0
-  - Align all boilerplate assets to recent HTML 5 Boilerplate 7.2.0
   - All Delphi compilers support started from Delphi 6
     (special BuildEvents IDE extenstion provided for old Delphi 6/7/2005/2006)
   - Free Pascal support
@@ -94,6 +93,8 @@
   - bpoVaryAcceptEncoding now supports content created by the inherited class
   - bpoDeleteXPoweredBy was excluded from DEFAULT_BOILERPLATE_OPTIONS
 
+  Version 2.2
+  - Add TBoilerplateHTTPServer.ContentSecurityPolicyReportOnly property
 *)
 
 interface
@@ -540,6 +541,7 @@   TBoilerplateHTTPServer = class(TSQLHttpServer)
     FAssets: TAssets;
     FOptions: TBoilerplateOptions;
     FContentSecurityPolicy: SockString;
+    FContentSecurityPolicyReportOnly: SockString;
     FStrictSSL: TStrictSSL;
     FReferrerPolicy: SockString;
     FWWWRewrite: TWWWRewrite;
@@ -809,6 +811,10 @@   TBoilerplateHTTPServer = class(TSQLHttpServer)
     property ContentSecurityPolicy: SockString
       read FContentSecurityPolicy write FContentSecurityPolicy;
 
+    property ContentSecurityPolicyReportOnly: SockString
+      read FContentSecurityPolicyReportOnly
+      write FContentSecurityPolicyReportOnly;
+
     /// See TBoilerplateOption.bpoEnableReferrerPolicy
     property ReferrerPolicy: SockString read FReferrerPolicy
       write FReferrerPolicy;
@@ -888,6 +894,9 @@   TBoilerplateHTTPServer = class(TSQLHttpServer)
   /// See TBoilerplateHTTPServer.ContentSecurityPolicy
   DEFAULT_CONTENT_SECURITY_POLICY: SockString = '';
 
+  /// See TBoilerplateHTTPServer.ContentSecurityPolicyReportOnly
+  DEFAULT_CONTENT_SECURITY_POLICY_REPORT_ONLY: SockString = '';
+
   CONTENT_SECURITY_POLICY_STRICT =
     'default-src ''self''; ' +
     'base-uri ''none''; ' +
@@ -1234,6 +1243,8 @@ procedure TBoilerplateHTTPServer.Init;
   FAssets.Init;
   FOptions := DEFAULT_BOILERPLATE_OPTIONS;
   FContentSecurityPolicy := DEFAULT_CONTENT_SECURITY_POLICY;
+  FContentSecurityPolicyReportOnly :=
+    DEFAULT_CONTENT_SECURITY_POLICY_REPORT_ONLY;
   FStrictSSL := DEFAULT_STRICT_SLL;
   FReferrerPolicy := DEFAULT_REFERRER_POLICY;
   FWWWRewrite := DEFAULT_WWW_REWRITE;
@@ -1630,8 +1641,13 @@ function TBoilerplateHTTPServer.Request(Context: THttpServerRequest): Cardinal;
 
   if (FContentSecurityPolicy <> '') and
     IdemPChar(Pointer(ContentType), 'TEXT/HTML') then
-      AddCustomHeader(Context, 'Content-Security-Policy',
-        FContentSecurityPolicy);
+          AddCustomHeader(Context, 'Content-Security-Policy',
+            FContentSecurityPolicy);
+
+  if (FContentSecurityPolicyReportOnly <> '') and
+    IdemPChar(Pointer(ContentType), 'TEXT/HTML') then
+          AddCustomHeader(Context, 'Content-Security-Policy-Report-Only',
+            FContentSecurityPolicyReportOnly);
 
   if FStrictSSL = strictSSLOn then
     if Context.UseSSL then
@@ -1662,6 +1678,7 @@ function TBoilerplateHTTPServer.Request(Context: THttpServerRequest): Cardinal;
   if bpoDeleteXPoweredBy in LOptions then
     DeleteCustomHeader(Context, 'X-POWERED-BY:');
 
+  Expires := 0;
   ExpiresDefined := False;
 
   if [bpoSetCacheNoTransform, bpoSetCachePublic, bpoSetCachePrivate,