Merge pull request #373 from Yooooomi/fix/connect-src-csp

Fixed subdomains having an underscore in their name

apps/client/scripts/run/variables.sh

@@ -11,22 +11,27 @@ fi
 
 cp "$VAR_PATH/variables-template.js" "$VAR_PATH/variables.js"
 
-if [ ! -z "$API_ENDPOINT" ]
+if [[ -z "$API_ENDPOINT" ]]
 then
-    echo "Setting API Endpoint to '$API_ENDPOINT'"
-    sed -i "s;__API_ENDPOINT__;$API_ENDPOINT;g" "$VAR_PATH/variables.js"
-
-    # Editing meta image urls
-    sed -i "s;image\" content=\"\(.[^\"]*\);image\" content=\"$API_ENDPOINT/static/your_spotify_1200.png;g" "$VAR_PATH/index.html"
-
-    # Restricting connect-src to API_ENDPOINT with a trailing /
-    API_ENDPOINT_ENDING_WITH_SLASH=$API_ENDPOINT
-    if [[ "$API_ENDPOINT_ENDING_WITH_SLASH" != */ ]]
-    then
-        API_ENDPOINT_ENDING_WITH_SLASH="$API_ENDPOINT_ENDING_WITH_SLASH/"
-    fi
-    sed -i "s#connect-src \(.*\);#connect-src $API_ENDPOINT_ENDING_WITH_SLASH;#g" "$VAR_PATH/index.html"
-else
     echo "API_ENDPOINT is not defined, web app won't work"
     exit 1
 fi
+
+echo "Setting API Endpoint to '$API_ENDPOINT'"
+sed -i "s;__API_ENDPOINT__;$API_ENDPOINT;g" "$VAR_PATH/variables.js"
+
+# Editing meta image urls
+sed -i "s;image\" content=\"\(.[^\"]*\);image\" content=\"$API_ENDPOINT/static/your_spotify_1200.png;g" "$VAR_PATH/index.html"
+
+# Restricting connect-src to API_ENDPOINT with a trailing /, or to * if hostname has an _
+CSP_CONNECT_SRC=$API_ENDPOINT
+if [[ "$CSP_CONNECT_SRC" == *_*.*.* ]]
+then
+    echo "It seems that your subdomain has an underscore in it, falling back to less strict CSP"
+    CSP_CONNECT_SRC="*"
+elif ! echo "$CSP_CONNECT_SRC" | grep -q "/$"
+then
+    CSP_CONNECT_SRC="$CSP_CONNECT_SRC/"
+fi
+
+sed -i "s#connect-src \(.*\);#connect-src 'self' $CSP_CONNECT_SRC;#g" "$VAR_PATH/index.html"