fix(core,ui): clear ui preload link not used warning (#4429)

fix(core,ui): address ui preload link not used warning

address ui preload link not used warning

packages/core/src/middleware/koa-security-headers.ts

@@ -106,7 +106,13 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
           "'self'",
           ...conditionalArray(!isProduction && ["'unsafe-eval'", "'unsafe-inline'"]),
         ],
-        connectSrc: ["'self'", ...adminOrigins, ...coreOrigins, ...developmentOrigins],
+        connectSrc: [
+          "'self'",
+          ...adminOrigins,
+          ...coreOrigins,
+          ...developmentOrigins,
+          ...appInsightsOrigins,
+        ],
         // Allow Main Flow origin loaded in preview iframe
         frameSrc: ["'self'", ...adminOrigins, ...coreOrigins],
       },

packages/ui/src/index.html

@@ -5,8 +5,24 @@
   <meta charset="utf-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover">
   <title></title>
-  <link rel="preload" href="/api/.well-known/sign-in-exp" as="fetch" crossorigin="anonymous">
-  <link rel="preload" href="/api/.well-known/phrases" as="fetch" crossorigin="anonymous">
+  <!--Preload well-known settings API-->
+  <script>
+    const { search } = window.location;
+    const noCache = search.includes('no_cache');
+    const isPreview = search.includes('preview');
+    // Preview mode does not query sign-in-exp and phrases
+    const preLoadLinks = isPreview ? [] : ['/api/.well-known/sign-in-exp', '/api/.well-known/phrases'];
+
+    // Append preload well-known settings API links to head
+    preLoadLinks.forEach((linkUrl) => {
+      const link = document.createElement('link');
+      link.rel = 'preload';
+      link.href = `${linkUrl}${noCache ? '?no_cache=true' : ''}`;
+      link.as = 'fetch';
+      link.crossOrigin = 'anonymous';
+      document.head.appendChild(link);
+    });
+  </script>
 </head>
 
 <body>