I tacked on the primary here, but we could instead add the primary as part of the WorkspaceProxyHostsFn function.

The current method here also includes the primary for AGPL, so if we do that we would also need to make some changes for the AGPL version (assuming wildcard apps and tasks even work with AGPL).

api.AppHostname can be "". We should probably handle empty string, and not add it to the csp header.

ConvertAppHostForCSP uses the first argument if the second is "", so we end up adding the base host instead (my thinking here was that means we are using path-based apps, so the root domain is the app host).

Actually I think my reasoning is incorrect because you can use both wildcard and path-based at the same time, right? Hmm...that means we always want to add the access URL? I guess self would cover that one already, but can you use path-based for the regions? Maybe I need to add both there.

Also I need to use .Host instead of .String() since I think CSP does not like the protocol being in there, could have sworn I fixed that already.

Edit: wait no what am I talking about, apparently my brain is fried today, seems to work either way.