[4.0] Remove com_csp and move the CSP configuration to the HttpHeaders plugin

[zero-24]

Summary of Changes

After discussions within Production it has been decided today (official note will be included in the upcomming meeting minutes) to drop com_csp from Joomla 4.0 and move the "manuall" CSP settings back to the Plugin. While it could be re-implemented in a future version.
This PR now does that by removing the backend and frontend code of com_csp as well as install and update sql logic stuff.

With that removal the collection and autogeneration of CSP rules will be gone from Joomla 4.0 but the Plugin will still allow to setup the CSP rules.

Testing Instructions

Test Case #1

• Install the build (https://ci.joomla.org/artifacts/joomla/joomla-cms/4.0-dev/33550/downloads/43088/Joomla_4.0.0-beta8-dev+pr.33550-Development-Full_Package.zip)
• Make sure there is no com_csp any more.
• Confirm that the Plugin System HttpHeaders now includes also the CSP settings.

Test Case #2

• Install a 4.0.0beta7
• confirm that com_csp is there
• set the update server to (https://ci.joomla.org/artifacts/joomla/joomla-cms/4.0-dev/33550/downloads/43088/pr_list.xml)
• Update to the new build thats provided
• Confirm that com_csp is gone
• Confirm that the plugin has the new options

Actual result BEFORE applying this Pull Request

com_csp is there

Expected result AFTER applying this Pull Request

com_csp is gone

Documentation Changes Required

• The docs pages for the component and the options page needs to be removed
• The existing doc page needs to be adjusted and updated with the changes done here.

B/C implications

With the removal of com_csp the auto generated csp rules are gone and they will not be migrated, please extract them before you install the update that drops this feature and set it as Forced HTTP Header or via the new setting implmented here.

Personal note

I would like to thank all the people that helped to get to this feature to this place specificly @yvesh and @SniperSister who worked together with me to bring that idea to live. As well as all the other people who put work and effort into extending and improving the current implementation until now. I personally still think this is an important feature to the CMS but I will follow the decision taken by Production.

[brianteeman]

When this is removed the helpTOC script will need to be rerun

[richard67]

The removal of the files vis the script.php should be part of the build script and is not added here in for that reason.

If so, it has to be done also before the next J4 release (Beta or RC, whatever it will be ;-) ).

In order not to miss that I'd prefer it to be done with this PR, since the files and folder removal in script.php has just recently been updated after the upmerge so it is ready for release, except of changes due to this PR here. Or @wilsonge gives me enough time to do it after the merge of this PR and before the release, so I can do it using the script.

[brianteeman]

100% agree with @richard67

[brianteeman]

Please remove

joomla-cms/administrator/language/en-GB/mod_menu.ini

Line 108 in b87b423

MOD_MENU_MANAGE_CSP="Content Security Policy"

[sandewt]

Install the build (https://ci.joomla.org/artifacts/joomla/joomla-cms/4.0-dev/33550/downloads/43088/Joomla_4.0.0-beta8-dev+pr.33550-Development-Full_Package.zip)

Not Found
The requested URL was not found on this server.

[richard67]

@sandewt The links might be outdated due to new commits to this PR. You can find the right links when going down to the bottom, using the "Show all checks" to expand the CI checks, then follow the "Details" link at the right side of the "Downloads" step. There you can find the link to the full installation package for the 1st test and the link to a custom update URL which you can use for the 2nd test.

[richard67]

@sandewt Please wait a bit with testing, the PR will receive an update soon, and then new packages will be built again.

@sanderpotjer Sorry, ignore the notification, I mentioned you by accident.

[sandewt]

@sandewt The links might be outdated due to new co...

Thanks @richard67, I found the package(s).

Following question, how to install 4.0.0beta7 ?

[richard67]

@sandewt The PR meanwhile is ready again for testing. You have to get the new packages because there have been changes.

[sandewt]

I have tested this item ✅ successfully on f5cf7fe

Test Case #1 is OK
Test Case #2 is OK

Didn't look / did nothing with the B/C implications !?

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33550.}

[ReLater]

Bad news. Thank you for your efforts concerning com_csp @zero-24 et al.

[zero-24]

Please remove

joomla-cms/administrator/language/en-GB/mod_menu.ini

Line 108 in b87b423

MOD_MENU_MANAGE_CSP="Content Security Policy"

Sorry i have missed that comment yesterday. Its done now: ea24029

[richard67]

I've restored @sandewt 's test result in the issue tracker so it's properly counted, since the commit which has invalidated the test result was just a removal of an unused language string.

[sandewt]

Didn't look / did nothing with the B/C implications !?

@zero-24 Is this allowed for the test?

[zero-24]

Didn't look / did nothing with the B/C implications !?

@zero-24 Is this allowed for the test?

Yes it is just for the information. Given that there is no stable version of that feature shipped i dont see an issue here.

[Quy]

I have tested this item ✅ successfully on d4866ed

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33550.}

[Quy]

RTC

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33550.}

[zero-24]

Thanks for testing and merging here. 👍

[richard67]

Silly me: When reviewing especially the SQL parts of this PR, I have not noticed that the "#__csp" table hasn't been removed from the "supports.sql" files so it is still created on new installations. Am just preparing the PR to fix that.

[richard67]

See #33835 .

[zero-24]

The http headers docs page has been updated and com_csp mention has been removed and the help pages have just been requested to be removed from the docs page too.

[c-schmitz]

Just out of interest and since the meeting minutes are not linked: What was the reason for the decision to remove the component?