fix: use proper CSP for joule on dev (#4419)

Author: chriskari

index.html

@@ -24,7 +24,8 @@
       http-equiv="Content-Security-Policy"
       content="
         font-src 'self' https://sdk.openui5.org/ https://cdn.jsdelivr.net data:;
-        script-src 'self' 'unsafe-eval' blob: https://kcp-dev-joule-vfglrzqg.eu12.sapdas.cloud.sap;
+        script-src 'self' 'unsafe-eval' blob: https://*.sapdas.cloud.sap;
+        frame-src 'self' https://*.sapdas.cloud.sap https://*.ondemand.com https://*.sap.com;
         object-src 'self';
       "
     />

nginx/nginx.conf

@@ -38,7 +38,7 @@ http {
         root   /app/core-ui;
 
         add_header 'Cache-Control' 'public, max-age=300';
-        add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' https://kcp-dev-joule-vfglrzqg.eu12.sapdas.cloud.sap 'sha256-7fF0zlMDaJyxa8K3gkd0Gnt657Obx/gdAct0hR/pdds=' 'sha256-bjOtDHhqB+wVlyFDAxz9e0RvTn+EEec/Z4mpjUjNvAs=' blob:; frame-src 'self' https://kcp-dev-joule-vfglrzqg.eu12.sapdas.cloud.sap; style-src 'self' 'unsafe-inline'; connect-src 'self' * https://* wss://*; font-src 'self' data:; object-src 'none'; media-src 'self'; form-action 'self'; img-src * data:; worker-src 'self' blob: data:;";
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://*.sapdas.cloud.sap 'sha256-7fF0zlMDaJyxa8K3gkd0Gnt657Obx/gdAct0hR/pdds=' 'sha256-bjOtDHhqB+wVlyFDAxz9e0RvTn+EEec/Z4mpjUjNvAs=' blob:; frame-src 'self' https://*.sapdas.cloud.sap https://*.ondemand.com https://*.sap.com; style-src 'self' 'unsafe-inline'; connect-src 'self' * https://* wss://*; font-src 'self' data:; object-src 'none'; media-src 'self'; form-action 'self'; img-src * data:; worker-src 'self' blob: data:;";
         add_header X-Frame-Options 'DENY';
         add_header X-Content-Type-Options 'nosniff';
         add_header Strict-Transport-Security 'max-age=31536000';