V2.1.0 add optiion to disable csp headers on single page or whole website

system/typemill/Middleware/CspHeadersMiddleware.php

@@ -29,6 +29,11 @@ class CspHeadersMiddleware implements MiddlewareInterface
 		# add the custom headers to the response after everything is processed
 		$response = $handler->handle($request);
 
+		if(isset($this->settings['cspdisabled']) && $this->settings['cspdisabled'])
+		{
+			return $response;
+		}
+
 		$whitelist 	= ["'unsafe-inline'", "'unsafe-eval'", "'self'", "data:", "*.youtube-nocookie.com", "*.youtube.com"];
 
 		$cspdomains = isset($this->settings['cspdomains']) ? trim($this->settings['cspdomains']) : false;
@@ -59,6 +64,13 @@ class CspHeadersMiddleware implements MiddlewareInterface
 		}
 
 		$whitelist = array_unique($whitelist);
+
+		# do not add csp header if disabled-flag is found
+		if(in_array("disable", $whitelist))
+		{
+			return $response;
+		}
+
 		$whitelist = implode(' ', $whitelist);
 
 	    # Define the Content Security Policy header

system/typemill/settings/system.yaml

@@ -252,4 +252,8 @@ fieldsetdeveloper:
       type: textarea
       label: "Allowed Domains for Content on Typemill (CSP)"
       placeholder: 'https://www.google.com,*google.com'
-      description: "Add all domains separated with comma, that you want to integrate on your Typemill website. Domains will be added to the csp-header. Usually done with plugins and themes, but add manually if something is blocked."
+      description: "Add all domains separated with comma, that you want to integrate on your Typemill website. Domains will be added to the csp-header. Usually done with plugins and themes, but add manually if something is blocked."
+    cspdisabled:
+      type: checkbox
+      label: "Disable CSP Headers"
+      checkboxlabel: "Disable all csp (content security policy) headers for this website."