fix app/hubmessenger's csp

Author: AlexErrant

app/buildHeaders.ts

@@ -6,7 +6,12 @@ const contents = `/*
   Cross-Origin-Opener-Policy: same-origin
   Cross-Origin-Resource-Policy: cross-origin
   Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
-  ${hstsName}: ${hstsValue}`
+  ${hstsName}: ${hstsValue}
+
+/hubmessenger
+  ! Content-Security-Policy
+  Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors ${process.env.VITE_HUB_ORIGIN};
+`
 
 fs.writeFile('./dist/_headers', contents, (err) => {
 	if (err != null) {

app/deploy.sh

@@ -4,6 +4,9 @@
 set -euo pipefail # https://stackoverflow.com/a/2871034
 # set -x
 
-npx tsx --tsconfig ./tsconfig.deploy.json buildHeaders.ts
 [[ -f "env.sh" ]] && source env.sh
+set -a
+[[ -f ".env.production" ]] && source .env.production
+set +a
+npx tsx --tsconfig ./tsconfig.deploy.json buildHeaders.ts
 npx wrangler pages deploy ./dist --project-name app --branch main

hub/src/entry-server.tsx

@@ -74,7 +74,7 @@ export default createHandler(
 								sandbox='allow-scripts allow-same-origin' // Changing this has security ramifications! https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox
 								// "When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both allow-scripts and allow-same-origin"
 								// Since this iframe hosts `app.pentive.com` and this page is hosted on `pentive.com`, resulting in different origins, we should be safe. https://web.dev/sandboxed-iframes/ https://stackoverflow.com/q/35208161
-								src={import.meta.env.VITE_APP_ORIGIN + '/hubmessenger.html'}
+								src={import.meta.env.VITE_APP_ORIGIN + '/hubmessenger'}
 							/>
 							<div id='app'>{children}</div>
 							{scripts}