From e1dc6da0015763e7a0e7d589d873f623bad5c69c Mon Sep 17 00:00:00 2001 From: Eric Date: Thu, 16 Apr 2026 17:50:43 +0300 Subject: [PATCH] fix(csp): allow connect-src to staging API and Isaac HTTPS origins ALB shadow host loads FE from one origin while API_PATH targets www.staging; explicit connect-src omitted https Isaac hosts, so fetch was blocked. Add https://*.isaaccomputerscience.org plus explicit staging and stack-alb-test hosts. Made-with: Cursor --- csp-headers.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/csp-headers.conf b/csp-headers.conf index ae509ce6b8..fcd869a3ec 100644 --- a/csp-headers.conf +++ b/csp-headers.conf @@ -1,3 +1,5 @@ # Included from each location block that sets Cache-Control (nginx does not inherit # add_header from http/server when a location defines its own add_header). -add_header Content-Security-Policy "default-src 'self' https://*.isaaccomputerscience.org; object-src 'none'; frame-src 'self' https://*.isaaccomputerscience.org https://www.youtube.com https://www.youtube-nocookie.com https://www.google.com https://www.gstatic.com https://fast.wistia.net; img-src 'self' data: https://cdn-cookieyes.com https://*.isaaccomputerscience.org https://*.google-analytics.com https://*.googletagmanager.com https://*.tile.openstreetmap.org https://developers.google.com https://i.ytimg.com/; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://*.isaaccomputerscience.org https://fonts.gstatic.com; connect-src 'self' wss://*.isaaccomputerscience.org https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.cookieyes.com https://cdn-cookieyes.com; script-src 'self' https://*.isaaccomputerscience.org https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://www.youtube-nocookie.com https://www.youtube.com https://www.google.com https://www.gstatic.com https://cdn-cookieyes.com https://fast.wistia.net https://embedwistia-a.akamaihd.net" always; +# connect-src must allow cross-origin API when the FE is on another Isaac host (e.g. ALB shadow → www.staging API). +# https://*.isaaccomputerscience.org matches only one subdomain label; multi-label staging hosts are listed explicitly. +add_header Content-Security-Policy "default-src 'self' https://*.isaaccomputerscience.org; object-src 'none'; frame-src 'self' https://*.isaaccomputerscience.org https://www.youtube.com https://www.youtube-nocookie.com https://www.google.com https://www.gstatic.com https://fast.wistia.net; img-src 'self' data: https://cdn-cookieyes.com https://*.isaaccomputerscience.org https://*.google-analytics.com https://*.googletagmanager.com https://*.tile.openstreetmap.org https://developers.google.com https://i.ytimg.com/; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://*.isaaccomputerscience.org https://fonts.gstatic.com; connect-src 'self' https://*.isaaccomputerscience.org https://www.staging.development.isaaccomputerscience.org https://staging.development.isaaccomputerscience.org https://isaac-stack-alb-test.development.isaaccomputerscience.org wss://*.isaaccomputerscience.org https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.cookieyes.com https://cdn-cookieyes.com; script-src 'self' https://*.isaaccomputerscience.org https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://www.youtube-nocookie.com https://www.youtube.com https://www.google.com https://www.gstatic.com https://cdn-cookieyes.com https://fast.wistia.net https://embedwistia-a.akamaihd.net" always;