[Webkit-unassigned] [Bug 165754] New: iOS Refused to connect because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=165754

            Bug ID: 165754
           Summary: iOS Refused to connect because it appears in neither
                    the connect-src directive nor the default-src
                    directive of the Content Security Policy
    Classification: Unclassified
           Product: WebKit
           Version: Safari 10
          Hardware: All
                OS: iOS 10
            Status: NEW
          Severity: Major
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: erik.brandsma at outlook.com

Info:
- iOS 10.1.1
- iPhone 5s

This also happens on:
- MacOS Sierra 10.12.1
- Safari Version 10.0.1 (12602.2.14.0.7)

This occurs probably due to: https://webkit.org/blog/6830/a-refined-content-security-policy/
Stackoverflow post I made about this: http://stackoverflow.com/questions/41102298/ios-refused-to-connect-because-it-appears-in-neither-the-connect-src-directive-n 

So I have a phonegap app which uses socket.io to handle communication between the server and the app clients.
a typical URL to do so would be:
ws://10.0.1.63:3000/socket.io/?EIO=3&transport=websocket&sid=xTaMJwP3rVy3UnIBAAAi

When it tries to connect it says:
Refused to connect to ws://10.0.1.63:3000/socket.io/?EIO=3&transport=websocket&sid=xTaMJwP3rVy3UnIBAAAi because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy.

Which seems like a really straightforward error, just add the URL to the Content Security Policy right? Wrong. When I do so by setting the CSP to: 
<meta http-equiv="Content-Security-Policy" content="
                                default-src * data: blob: ws: wss:;
                                style-src * 'unsafe-inline'; 
                                script-src * 'unsafe-inline' 'unsafe-eval';
                                connect-src * ws: wss:;">

I still get the very same error.
I obviously cannot add "ws://10.0.1.63:3000/socket.io/?EIO=3&transport=websocket&sid=xTaMJwP3rVy3UnIBAAAi" because the hash at the end is randomly generated.
How can I make sure that this will work? Or is this a bug in webkit? Because when I tested the exact same code in Chrome / Android it worked just fine, probably because Chrome / Android is more lenient when it comes
to letting through connections. That is ok as long as I am able to fix this. How can I do so?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161212/d959856f/attachment.html>