Setup CSP for sub

api/Dockerfile

@@ -29,5 +29,6 @@ RUN npm run lint \
 COPY ./nginx.conf /etc/nginx/nginx.conf
 
 CMD memcached -d -u root \
+    && sed -i "s/API_URL/${API_URL}/g" /etc/nginx/nginx.conf \
     && nginx \
     && npm run prod

api/lib/config.ts

@@ -115,20 +115,30 @@ export default class Config {
             process.env.AWS_DEFAULT_REGION = 'us-east-1';
         }
 
-        let SigningSecret, API_URL, DynamoDB, Bucket, HookURL;
+        let SigningSecret, API_URL, PMTILES_URL, DynamoDB, Bucket, HookURL;
         if (!process.env.StackName || process.env.StackName === 'test') {
             process.env.StackName = 'test';
 
             SigningSecret = 'coe-wildland-fire';
             API_URL = 'http://localhost:5001';
             Bucket = process.env.ASSET_BUCKET;
+            PMTILES_URL = 'http://localhost:5001';
         } else {
             if (!process.env.StackName) throw new Error('StackName env must be set');
             if (!process.env.API_URL) throw new Error('API_URL env must be set');
             if (!process.env.ASSET_BUCKET) throw new Error('ASSET_BUCKET env must be set');
 
             HookURL = process.env.HookURL;
-            API_URL = process.env.API_URL;
+
+            const apiUrl = new URL(`http://${process.env.API_URL}`);
+            if (apiUrl.origin === 'localhost') {
+                API_URL = String(apiUrl);
+                PMTILES_URL = 'http://localhost:5001'
+            } else {
+                PMTILES_URL = `https://tiles.${process.env.API_URL}`;
+                API_URL = String(new URL(`https://${process.env.API_URL}`));
+            }
+
             Bucket = process.env.ASSET_BUCKET;
             DynamoDB = process.env.StackName;
             SigningSecret = await Config.fetchSigningSecret(process.env.StackName);
@@ -162,10 +172,9 @@ export default class Config {
             nosinks: (args.nosinks || false),
             nocache: (args.nocache || false),
             TileBaseURL: process.env.TileBaseURL ? new URL(process.env.TileBaseURL) : new URL('./data-dev/zipcodes.tilebase', import.meta.url),
-            PMTILES_URL: new URL(API_URL).host === 'localhost' ? 'http://localhost:5001' : `https://tiles.${new URL(API_URL).host}`,
             StackName: process.env.StackName,
             wsClients: new Map(),
-            server, SigningSecret, API_URL, DynamoDB, Bucket, pg, models, HookURL
+            server, SigningSecret, API_URL, DynamoDB, Bucket, pg, models, HookURL, PMTILES_URL
         });
 
         if (!config.silent) {

api/nginx.conf

@@ -30,7 +30,7 @@ http {
         add_header 'Referrer-Policy' 'strict-origin-when-cross-origin' always;
         add_header 'Strict-Transport-Security' 'max-age=31536000; includeSubDomains; preload' always;
         add_header 'Permissions-Policy' 'fullscreen=(self), geolocation=(self), clipboard-read=(self), clipboard-write=(self)' always;
-        add_header 'Content-Security-Policy' "default-src 'self'; img-src 'self' data:; worker-src 'self' blob:; style-src-attr 'unsafe-inline'; upgrade-insecure-requests;" always;
+        add_header 'Content-Security-Policy' "default-src 'self' tiles.API_URL; img-src 'self' data: tiles.API_URL; worker-src 'self' blob:; style-src-attr 'unsafe-inline'; upgrade-insecure-requests;" always;
 
         location / {
             if ($request_uri ~ ^/(.*)\.html) {