Get rid of the hardcoded craftpoker.com from mb2's Content Security Policy.
Currently the CSP is written using Actix-web's DefaultHeaders middleware, and we're only supplying fixed strings. However, we use a subdomain for the web-socket so that we can tell Cloudflare to stay out of the way, but although CSP has a 'self' override, it doesn't have a way to add a subdomain to self, presumably because a site doesn't really know its hostname, per-se. So, to do this properly, I think, we'd need to have the hostname be something that comes in from an environment variable and then prepend wss://ws. to that.
FWIW, this shouldn't cause us any trouble until we deploy mb2 elsewhere (e.g., back to devctm for testing).
Get rid of the hardcoded
craftpoker.com
from mb2's Content Security Policy.Currently the CSP is written using Actix-web's
DefaultHeaders
middleware, and we're only supplying fixed strings. However, we use a subdomain for the web-socket so that we can tell Cloudflare to stay out of the way, but although CSP has a'self'
override, it doesn't have a way to add a subdomain to self, presumably because a site doesn't really know its hostname, per-se. So, to do this properly, I think, we'd need to have the hostname be something that comes in from an environment variable and then prependwss://ws.
to that.FWIW, this shouldn't cause us any trouble until we deploy mb2 elsewhere (e.g., back to devctm for testing).