simplify accounts configuration on dev instances

lib/defaults.js

@@ -5,6 +5,7 @@ Default.commonCSP = function (Env) {
     var sandbox = Env.httpSafeOrigin;
     sandbox = (sandbox && sandbox !== domain? ' ' + sandbox: '');
     // Content-Security-Policy
+    var accounts_api = Env.accounts_api? ' ' + Env.accounts_api: '';
 
     return [
         "default-src 'none'",
@@ -25,7 +26,7 @@ Default.commonCSP = function (Env) {
             if you are deploying to production, you'll probably want to remove
             the ws://* directive
          */
-        "connect-src 'self' blob: " + (/^https:/.test(domain)? 'wss:': domain.replace('http://', 'ws://')) + ' ' + domain + sandbox,
+        "connect-src 'self' blob: " + (/^https:/.test(domain)? 'wss:': domain.replace('http://', 'ws://')) + ' ' + domain + sandbox + accounts_api,
 
         // data: is used by codemirror
         "img-src 'self' data: blob:" + domain,

lib/env.js

@@ -73,6 +73,7 @@ module.exports.create = function (config) {
         fileHost: config.fileHost || undefined,
         NO_SANDBOX: NO_SANDBOX,
         httpSafePort: httpSafePort,
+        accounts_api: config.accounts_api || undefined, // XXX
 
         shouldUpdateNode: !isRecentVersion(),
 

www/checkup/main.js

@@ -75,6 +75,7 @@ define([
     var trimmedSafe = trimSlashes(ApiConfig.httpSafeOrigin);
     var trimmedUnsafe = trimSlashes(ApiConfig.httpUnsafeOrigin);
     var fileHost = ApiConfig.fileHost;
+    var accounts_api = ApiConfig.accounts_api || AppConfig.accounts_api || undefined;
 
     var getAPIPlaceholderPath = function (relative) {
         var absolute;
@@ -986,7 +987,7 @@ define([
                     API_URL.origin,
                     isHTTPS(fileHost)? fileHost: undefined,
                     // support for cryptpad.fr configuration
-                    AppConfig.accounts_api,
+                    accounts_api,
                     ![trimmedUnsafe, trimmedSafe].includes(ACCOUNTS_URL)? ACCOUNTS_URL: undefined,
                 ],
 
@@ -1025,7 +1026,7 @@ define([
                     $sandbox,
                     API_URL.origin,
                     isHTTPS(fileHost)? fileHost: undefined,
-                    AppConfig.accounts_api,
+                    accounts_api,
                     ![trimmedUnsafe, trimmedSafe].includes(ACCOUNTS_URL)? ACCOUNTS_URL: undefined,
                 ],
                 'img-src': ["'self'", 'data:', 'blob:', $outer],