trying to fix csp , allow to inject avatars source to csp in nginx co…

…nfig

.github/workflows/build.yaml

@@ -6,8 +6,9 @@ on:
       - build
 env:
   IMAGE: saferwall/ui
-  VUE_APP_CSP_HOSTS: "*.saferwall.com saferwall.com"
   VUE_APP_ANALYTICS_GOOGLE_TAG: UA-111524273-1
+  VUE_APP_CSP_HOSTS: "*.saferwall.com saferwall.com"
+  VUE_APP_BASE_URI: "https://saferwall.com/"
   VUE_APP_API_BASE_URL: "https://api.saferwall.com/v1/"
   VUE_APP_AVATAR_BASE_URL: "https://avatar.saferwall.com/"
 

.github/workflows/release.yaml

@@ -2,6 +2,11 @@ name: UI Release
 on: workflow_dispatch
 env:
   IMAGE: saferwall/ui
+  VUE_APP_ANALYTICS_GOOGLE_TAG: UA-111524273-1
+  VUE_APP_CSP_HOSTS: "*.saferwall.com saferwall.com"
+  VUE_APP_BASE_URI: "https://saferwall.com/"
+  VUE_APP_API_BASE_URL: "https://api.saferwall.com/v1/"
+  VUE_APP_AVATAR_BASE_URL: "https://avatar.saferwall.com/"
 
 jobs:
   docker-release:

entrypoint.sh

@@ -11,8 +11,10 @@ do
   fi
 
   envsubst '$VUE_APP_BASE_URI' < $file.tmpl.js > $file
-  envsubst '$VUE_APP_API_BASE_URL' < $file > $file
-  envsubst '$VUE_APP_AVATAR_BASE_URL' < $file > $file
+  cp $file $file.tmpl.js
+  envsubst '$VUE_APP_API_BASE_URL' < $file.tmpl.js > $file
+  cp $file $file.tmpl.js
+  envsubst '$VUE_APP_AVATAR_BASE_URL' < $file.tmpl.js > $file
 done
 
 # -------------

nginx.conf

@@ -17,7 +17,7 @@ server {
   add_header X-Frame-Options "DENY";
   add_header X-Content-Type-Options nosniff;
   add_header X-XSS-Protection "1; mode=block";
-  add_header Content-Security-Policy "script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' fonts.googleapis.com 'self'; s object-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data:;";
+  add_header Content-Security-Policy "script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' fonts.googleapis.com 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data:;";
 
   location / {
     try_files $uri $uri/ @rewrites;