[OPENMEETINGS-2366] add ability to disable CSP headers

[solomax]

It is not clear why it should be possible "to disable CSP headers"?

[CkNoSFeRaTU]

CSP headers are generally used for preventing XSS attacks but I don't see any functionality in OM which can be utilized by user to embed any malicious scripts. So I think it's not really a big deal if you disable them. And It can be handy if for some reason you have clients with browsers with broken CSP implementations or some popular browser in the future update break something and you need a temporary workaround until it sorted out.

[solomax]

As you can see here https://openmeetings.apache.org/security.html There were a lot of XSS related reports

without CSP XSS is possible via Appointment description (probably)

This feature can be added, but I expect troubles here :( I'll check the code