Merge pull request #5060 from Infisical/fix/remove-placeholders-from-index

improvement(cdn): enhance Content Security Policy by injecting CDN host into directives

backend/src/server/plugins/serve-ui.ts

@@ -67,9 +67,12 @@ export const registerServeUI = async (
         .replace(/src="\/assets\//g, `src="${cdnHost}/assets/`)
         .replace(/href="\/assets\//g, `href="${cdnHost}/assets/`);
 
-      indexHtml = indexHtml.replace(new RE2(`(__INFISICAL_CDN_HOST__)`, "g"), cdnHost);
-    } else {
-      indexHtml = indexHtml.replace(new RE2(`(__INFISICAL_CDN_HOST__)`, "g"), "");
+      // Inject CDN host into CSP directives that need it
+      const cspDirectives = ["script-src", "style-src", "font-src", "connect-src", "media-src"];
+      for (const directive of cspDirectives) {
+        const regex = new RE2(`(${directive}\\s+'self')`, "g");
+        indexHtml = indexHtml.replace(regex, `$1 ${cdnHost}`);
+      }
     }
 
     await server.register(staticServe, {

frontend/index.html

@@ -8,15 +8,15 @@
       http-equiv="Content-Security-Policy"
       content="
     default-src 'self'; 
-    connect-src 'self' __INFISICAL_CDN_HOST__ https://*.posthog.com http://127.0.0.1:* https://cdn.jsdelivr.net/npm/@lottiefiles/dotlottie-web@0.38.2/dist/dotlottie-player.wasm; 
-    script-src 'self' __INFISICAL_CDN_HOST__ https://*.posthog.com https://js.stripe.com https://api.stripe.com https://widget.intercom.io https://js.intercomcdn.com https://hcaptcha.com https://*.hcaptcha.com 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net/npm/@lottiefiles/dotlottie-web@0.38.2/dist/dotlottie-player.wasm; 
-    style-src 'self' __INFISICAL_CDN_HOST__ 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com; 
+    connect-src 'self' https://*.posthog.com http://127.0.0.1:* https://cdn.jsdelivr.net/npm/@lottiefiles/dotlottie-web@0.38.2/dist/dotlottie-player.wasm; 
+    script-src 'self' https://*.posthog.com https://js.stripe.com https://api.stripe.com https://widget.intercom.io https://js.intercomcdn.com https://hcaptcha.com https://*.hcaptcha.com 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net/npm/@lottiefiles/dotlottie-web@0.38.2/dist/dotlottie-player.wasm; 
+    style-src 'self' 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com; 
     child-src https://api.stripe.com; 
     frame-src https://js.stripe.com/ https://api.stripe.com https://www.youtube.com/ https://hcaptcha.com https://*.hcaptcha.com; 
-    connect-src 'self' __INFISICAL_CDN_HOST__ wss://nexus-websocket-a.intercom.io https://api-iam.intercom.io https://api.heroku.com/ https://id.heroku.com/oauth/authorize https://id.heroku.com/oauth/token https://checkout.stripe.com https://app.posthog.com https://api.stripe.com https://api.pwnedpasswords.com http://127.0.0.1:* https://hcaptcha.com https://*.hcaptcha.com; 
+    connect-src 'self' wss://nexus-websocket-a.intercom.io https://api-iam.intercom.io https://api.heroku.com/ https://id.heroku.com/oauth/authorize https://id.heroku.com/oauth/token https://checkout.stripe.com https://app.posthog.com https://api.stripe.com https://api.pwnedpasswords.com http://127.0.0.1:* https://hcaptcha.com https://*.hcaptcha.com; 
     img-src 'self' https://static.intercomassets.com https://js.intercomcdn.com https://downloads.intercomcdn.com https://*.stripe.com https://i.ytimg.com/ data:; 
-    media-src __INFISICAL_CDN_HOST__ https://js.intercomcdn.com; 
-    font-src 'self' __INFISICAL_CDN_HOST__ https://fonts.intercomcdn.com/  https://fonts.gstatic.com; 
+    media-src 'self' https://js.intercomcdn.com; 
+    font-src 'self' https://fonts.intercomcdn.com/ https://fonts.gstatic.com; 
   "
     />
     <title>Infisical</title>