Merge branch 'vc/http-only-storefront-preview' into vc/http-only-storefront-preview-samesite

Author: vcua-mobify

packages/commerce-sdk-react/src/constant.ts

@@ -11,7 +11,9 @@
 export const IFRAME_HOST_ALLOW_LIST = Object.freeze([
     'https://runtime.commercecloud.com',
     'https://runtime-admin-staging.mobify-storefront.com',
-    'https://runtime-admin-preview.mobify-storefront.com'
+    'https://runtime-admin-preview.mobify-storefront.com',
+    'https://runtime-admin-soak.mobify-storefront.com',
+    'https://runtime-admin-testing.mobify-storefront-staging.com'
 ])
 
 export const SLAS_SECRET_WARNING_MSG =

packages/pwa-kit-runtime/src/ssr/server/constants.js

@@ -63,5 +63,7 @@ export const STOREFRONT_PREVIEW_CTX_COOKIE = '__Host-pwakit_preview_ctx'
 export const STOREFRONT_PREVIEW_PARENT_ALLOW_LIST = Object.freeze([
     'https://runtime.commercecloud.com',
     'https://runtime-admin-staging.mobify-storefront.com',
-    'https://runtime-admin-preview.mobify-storefront.com'
+    'https://runtime-admin-preview.mobify-storefront.com',
+    'https://runtime-admin-soak.mobify-storefront.com',
+    'https://runtime-admin-testing.mobify-storefront-staging.com'
 ])

packages/pwa-kit-runtime/src/utils/middleware/security.test.js

@@ -60,11 +60,13 @@ describe('Content-Security-Policy enforcement', () => {
         defaultPwaKitSecurityHeaders({}, res, () => {})
         res.setHeader(CSP, '')
         // The runtime-admin host list mirrors STOREFRONT_PREVIEW_PARENT_ALLOW_LIST
-        // so Storefront Preview from prod, staging, and preview RA all work.
+        // so Storefront Preview from every trusted RA environment works.
         const ra =
             'https://runtime.commercecloud.com ' +
             'https://runtime-admin-staging.mobify-storefront.com ' +
-            'https://runtime-admin-preview.mobify-storefront.com'
+            'https://runtime-admin-preview.mobify-storefront.com ' +
+            'https://runtime-admin-soak.mobify-storefront.com ' +
+            'https://runtime-admin-testing.mobify-storefront-staging.com'
         expectDirectives([
             `connect-src 'self' ${ra} *.salesforce-scrt.com`,
             `frame-ancestors ${ra}`,