build: add the new handy-signatur host to the CSP header

When using pdf-as in the backend the iframe will show the host specified
by mobile.sign.url in the backend. We are switching the backend to a
new endpoint, so we have to adjust the CSP to allow loading from that new host.

Keep www.handy-signatur.at for backwards compat.

app-template/.htaccess

@@ -8,7 +8,7 @@ Header set Cache-Control "must-revalidate, max-age=60"
 
 # For more security you can enable the CSP header by uncommenting the following line and adding
 # all the required policies, for example your API and Keycloak URLs.
-# Header set Content-Security-Policy "default-src 'self' 'unsafe-eval' 'unsafe-inline' http://127.0.0.1:8000 www.handy-signatur.at; img-src * blob: data:; font-src 'self' data:"
+# Header set Content-Security-Policy "default-src 'self' 'unsafe-eval' 'unsafe-inline' http://127.0.0.1:8000 https://www.handy-signatur.at https://service.a-trust.at; img-src * blob: data:; font-src 'self' data:"
 
 # Apache adds a "-gzip" suffix to the etag when it uses gzip but doesn't
 # take that into account when receiving requests.

rollup.config.js

@@ -118,11 +118,18 @@ function getOrigin(url) {
     return '';
 }
 
+// these are the hosts that are allowed to be embedded in an iframe
+const atrustHosts = [
+    'https://www.handy-signatur.at', // old one
+    'https://service.a-trust.at',
+];
+
 config.CSP = `default-src 'self' 'unsafe-eval' 'unsafe-inline' \
 ${getOrigin(config.matomoUrl)} ${getOrigin(config.keyCloakBaseURL)} ${getOrigin(
     config.entryPointURL
 )} \
-${getOrigin(config.nextcloudBaseURL)} www.handy-signatur.at \
+${getOrigin(config.nextcloudBaseURL)} ${getOrigin(config.nextcloudBaseURL)} \
+${atrustHosts.map((h) => getOrigin(h)).join(' ')} \
 ${getOrigin(config.pdfAsQualifiedlySigningServer)}; \
 img-src * blob: data:; font-src 'self' data:`;