Adjust CSP connect-src for non-prod

privaterelay/settings.py

@@ -110,7 +110,11 @@
 #
 
 BASKET_ORIGIN = config("BASKET_ORIGIN", "https://basket.mozilla.org")
-# maps fxa profile hosts to respective avatar hosts for CSP
+
+# maps FxA / Mozilla account profile hosts to respective hosts for CSP
+_FXA_PROFILE_ENDPOINT = config(
+    "FXA_PROFILE_ENDPOINT", "https://profile.accounts.firefox.com/v1"
+)
 _AVATAR_IMG_SRC_MAP = {
     "https://profile.stage.mozaws.net/v1": [
         "mozillausercontent.com",
@@ -121,9 +125,12 @@
         "https://profile.accounts.firefox.com",
     ],
 }
-_AVATAR_IMG_SRC = _AVATAR_IMG_SRC_MAP[
-    config("FXA_PROFILE_ENDPOINT", "https://profile.accounts.firefox.com/v1")
-]
+_AVATAR_IMG_SRC = _AVATAR_IMG_SRC_MAP[_FXA_PROFILE_ENDPOINT]
+_ACCOUNTS_CONNECT_SRC_MAP = {
+    "https://profile.stage.mozaws.net/v1": "https://accounts.stage.mozaws.net",
+    "https://profile.accounts.firefox.com/v1": "https://accounts.firefox.com",
+}
+_ACCOUNTS_CONNECT_SRC = _ACCOUNTS_CONNECT_SRC_MAP[_FXA_PROFILE_ENDPOINT]
 API_DOCS_ENABLED = config("API_DOCS_ENABLED", False, cast=bool) or DEBUG
 
 _CSP_SCRIPT_INLINE = API_DOCS_ENABLED or USE_SILK
@@ -174,9 +181,9 @@
 CSP_CONNECT_SRC = [
     "'self'",
     "https://www.google-analytics.com/",
-    "https://accounts.firefox.com",
     "https://location.services.mozilla.com",
     "https://api.stripe.com",
+    _ACCOUNTS_CONNECT_SRC,
     BASKET_ORIGIN,
 ]
 CSP_FONT_SRC = ["'self'"] + _API_DOCS_CSP_FONT_SRC + ["https://relay.firefox.com/"]
@@ -582,9 +589,7 @@ def set_index_cache_control_headers(
         "OAUTH_ENDPOINT": config(
             "FXA_OAUTH_ENDPOINT", "https://oauth.accounts.firefox.com/v1"
         ),
-        "PROFILE_ENDPOINT": config(
-            "FXA_PROFILE_ENDPOINT", "https://profile.accounts.firefox.com/v1"
-        ),
+        "PROFILE_ENDPOINT": _FXA_PROFILE_ENDPOINT,
         "VERIFIED_EMAIL": True,  # Assume FxA primary email is verified
     }
 }