feat(nginx): emit Content-Security-Policy from origin (csp-headers.conf)

Include CSP in each location that sets Cache-Control so headers apply on
HTML/static responses (nginx add_header inheritance rules). Used by
Dockerfile-react / ghcr.io isaac-react-app-cs image builds.

Made-with: Cursor

Author: Eric

Dockerfile-react

@@ -18,3 +18,4 @@ ARG BUILD_TARGET
 
 COPY --from=builder /build/$BUILD_TARGET/ /usr/share/nginx/html
 COPY nginx.conf /etc/nginx/nginx.conf
+COPY csp-headers.conf /etc/nginx/csp-headers.conf

csp-headers.conf

@@ -0,0 +1,3 @@
+# Included from each location block that sets Cache-Control (nginx does not inherit
+# add_header from http/server when a location defines its own add_header).
+add_header Content-Security-Policy "default-src 'self' https://*.isaaccomputerscience.org; object-src 'none'; frame-src 'self' https://*.isaaccomputerscience.org https://www.youtube.com https://www.youtube-nocookie.com https://www.google.com https://www.gstatic.com https://fast.wistia.net; img-src 'self' data: https://cdn-cookieyes.com  https://*.isaaccomputerscience.org https://*.google-analytics.com https://*.googletagmanager.com https://*.tile.openstreetmap.org https://developers.google.com https://i.ytimg.com/; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://*.isaaccomputerscience.org https://fonts.gstatic.com; connect-src 'self' wss://*.isaaccomputerscience.org https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.cookieyes.com https://cdn-cookieyes.com; script-src 'self' https://*.isaaccomputerscience.org https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://www.youtube-nocookie.com https://www.youtube.com https://www.google.com https://www.gstatic.com https://cdn-cookieyes.com https://fast.wistia.net https://embedwistia-a.akamaihd.net" always;

nginx.conf

@@ -50,24 +50,28 @@ http {
         location /assets {
             # Strongly cache these things for at least 30 days:
             add_header Cache-Control "public, max-age=2592000, no-transform";
+            include /etc/nginx/csp-headers.conf;
             try_files $uri @default;
         }
 
         location /static {
             # Maybe also strongly cache these things for at least 30 days?
             add_header Cache-Control "public, max-age=2592000, no-transform";
+            include /etc/nginx/csp-headers.conf;
             try_files $uri @default;
         }
 
         location /index.html {
             # Index pages, and also serves unknown URLs too from @default.
             # Do not allow caching of these index pages at all:
             add_header Cache-Control "no-cache, no-store, must-revalidate";
+            include /etc/nginx/csp-headers.conf;
             try_files $uri @default;
         }
 
         location ~ ^/unsupported_browser.(html|js)$ {
                 add_header Cache-Control "no-cache, no-store, must-revalidate";
+                include /etc/nginx/csp-headers.conf;
                 try_files $uri @default;
         }
 
@@ -78,6 +82,7 @@ http {
             }
             # Allow caching, but require revalidation every time:
             add_header Cache-Control "no-cache, must-revalidate";
+            include /etc/nginx/csp-headers.conf;
             try_files $uri @default;
         }