Fix/alb test api origin

Dockerfile-react

@@ -18,3 +18,4 @@ ARG BUILD_TARGET
 
 COPY --from=builder /build/$BUILD_TARGET/ /usr/share/nginx/html
 COPY nginx.conf /etc/nginx/nginx.conf
+COPY csp-headers.conf /etc/nginx/csp-headers.conf

csp-headers.conf

@@ -0,0 +1,3 @@
+# Included from each location block that sets Cache-Control (nginx does not inherit
+# add_header from http/server when a location defines its own add_header).
+add_header Content-Security-Policy "default-src 'self' https://*.isaaccomputerscience.org; object-src 'none'; frame-src 'self' https://*.isaaccomputerscience.org https://www.youtube.com https://www.youtube-nocookie.com https://www.google.com https://www.gstatic.com https://fast.wistia.net; img-src 'self' data: https://cdn-cookieyes.com  https://*.isaaccomputerscience.org https://*.google-analytics.com https://*.googletagmanager.com https://*.tile.openstreetmap.org https://developers.google.com https://i.ytimg.com/; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://*.isaaccomputerscience.org https://fonts.gstatic.com; connect-src 'self' wss://*.isaaccomputerscience.org https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.cookieyes.com https://cdn-cookieyes.com; script-src 'self' https://*.isaaccomputerscience.org https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://www.youtube-nocookie.com https://www.youtube.com https://www.google.com https://www.gstatic.com https://cdn-cookieyes.com https://fast.wistia.net https://embedwistia-a.akamaihd.net" always;

nginx.conf

@@ -50,24 +50,28 @@ http {
         location /assets {
             # Strongly cache these things for at least 30 days:
             add_header Cache-Control "public, max-age=2592000, no-transform";
+            include /etc/nginx/csp-headers.conf;
             try_files $uri @default;
         }
 
         location /static {
             # Maybe also strongly cache these things for at least 30 days?
             add_header Cache-Control "public, max-age=2592000, no-transform";
+            include /etc/nginx/csp-headers.conf;
             try_files $uri @default;
         }
 
         location /index.html {
             # Index pages, and also serves unknown URLs too from @default.
             # Do not allow caching of these index pages at all:
             add_header Cache-Control "no-cache, no-store, must-revalidate";
+            include /etc/nginx/csp-headers.conf;
             try_files $uri @default;
         }
 
         location ~ ^/unsupported_browser.(html|js)$ {
                 add_header Cache-Control "no-cache, no-store, must-revalidate";
+                include /etc/nginx/csp-headers.conf;
                 try_files $uri @default;
         }
 
@@ -78,6 +82,7 @@ http {
             }
             # Allow caching, but require revalidation every time:
             add_header Cache-Control "no-cache, must-revalidate";
+            include /etc/nginx/csp-headers.conf;
             try_files $uri @default;
         }
 

src/app/services/constants.ts

@@ -40,9 +40,14 @@ if (document.location.hostname === "localhost") {
   apiPath = `${STAGING_URL}/api/any/api`;
 } else if (document.location.hostname.endsWith(".eu.ngrok.io")) {
   apiPath = "https://isaacscience.eu.ngrok.io/isaac-api/api";
+} else if (document.location.hostname === "isaac-fe-alb-test.development.isaaccomputerscience.org") {
+  // ALB shadow hostname serves only the FE; API stays on the main staging hosts (ingress-nginx /api rewrite).
+  apiPath = `${STAGING_URL}/api/${API_VERSION}/api`;
 }
 export const isStaging =
-  document.location.hostname.startsWith("staging.") || document.location.hostname.startsWith("www.staging.");
+  document.location.hostname.startsWith("staging.") ||
+  document.location.hostname.startsWith("www.staging.") ||
+  document.location.hostname === "isaac-fe-alb-test.development.isaaccomputerscience.org";
 
 export const envSpecific = <L, S, D>(live: L, staging: S, dev: D) =>
   isStaging ? staging : process.env.NODE_ENV === "production" ? live : dev;