feat(logout): wire injector to web-svc-logout and add robust CORS/CSP for /logout

- sys-front-inj-logout: depend on web-svc-logout (run-once guarded) and simplify task flow. - web-svc-logout: align feature flags/formatting and extend CSP: - add cdn.jsdelivr.net to connect/script/style and quote values. - Nginx: move CORS config into logout-proxy.conf.j2 with dynamic vars: - Access-Control-Allow-Origin set to canonical logout origin, - Allow-Credentials=true, - Allow-Methods=GET, OPTIONS, - basic headers list (Accept, Authorization), - cache disabled for /logout responses. - Drop obsolete CORS var passing from 01_core.yml; headers now templated at proxy layer. Prepares clean cross-origin logout orchestration from https://logout.veen.world. Refs: ChatGPT discussion – https://chatgpt.com/share/68ebb75f-0170-800f-93c5-e5cb438b8ed4
2025-10-22 05:55:43 +00:00 · 2025-10-12 16:16:47 +02:00
parent 7dccffd52d
commit a996e2190f
5 changed files with 23 additions and 21 deletions
--- a/roles/web-svc-logout/tasks/01_core.yml
+++ b/roles/web-svc-logout/tasks/01_core.yml
@@ -21,11 +21,6 @@
 - name: "load docker, proxy for '{{ application_id }}'"
  include_role:
    name: sys-stk-full-stateless
-  vars:
-      aca_origin:       "'{{ domains | get_url('web-svc-logout', WEB_PROTOCOL) }}' always"
-      aca_credentials:  "'true' always"
-      aca_methods:      "'GET, OPTIONS' always"
-      aca_headers:      "'Accept, Authorization' always"

 - name: Create symbolic link from .env file to repository
  file: