load two yaml configs

[dragonchaser]

We have added the ability to merge custom CSP rules configuration with the provided ones through PROXY_CSP_CONFIG_FILE_LOCATION (and its yaml equivalent csp_config_file_location) and the ability to completely override the CSP rules configuration through PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION (and its yaml equivalent csp_config_file_override_location)

refs #1475

[butonic]

nice! hm ... I'm nut sure this produces what we expect, when an admin has currently provided a csp rule file where he dropped eg the rules to github. would we not then merge them back because they are in our default? ... I guess that is fine, because he can now overrule them ... but we need to document this propertly ... as it might cause unwanted security sideeffects.

I am aware of #1475 (comment) ... but why don't we introduce a PROXY_CSP_CONFIG_CUSTOMIZATIONS_FILE that allows adding additional rules. If someone really wants to get rid of the rules we provide he can point PROXY_CSP_CONFIG_FILE_LOCATION to an empty file and use his PROXY_CSP_CONFIG_CUSTOMIZATIONS_FILE. Of course he will then have to deal with updates himself.

I find that clearer than an PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION.

hm ... I'm not against this ... I am just worried about admins screaming "security incident!!!"

[kulmann]

I find that clearer than an PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION.

hm ... I'm not against this ... I am just worried about admins screaming "security incident!!!"

... but it would still leave the update check broken for an unknown number of existing instances. Which is the point of my bug report and the main reason for this PR.

But I agree that we need clear documentation about all of this.

[kulmann]

Nice, works like a charm now! Tested both the augmentation and the override successfully. Thank you so much for fixing this!