[Webkit-unassigned] [Bug 165754] New: iOS Refused to connect because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Dec 12 05:57:34 PST 2016
https://bugs.webkit.org/show_bug.cgi?id=165754
Bug ID: 165754
Summary: iOS Refused to connect because it appears in neither
the connect-src directive nor the default-src
directive of the Content Security Policy
Classification: Unclassified
Product: WebKit
Version: Safari 10
Hardware: All
OS: iOS 10
Status: NEW
Severity: Major
Priority: P2
Component: New Bugs
Assignee: webkit-unassigned at lists.webkit.org
Reporter: erik.brandsma at outlook.com
Info:
- iOS 10.1.1
- iPhone 5s
This also happens on:
- MacOS Sierra 10.12.1
- Safari Version 10.0.1 (12602.2.14.0.7)
This occurs probably due to: https://webkit.org/blog/6830/a-refined-content-security-policy/
Stackoverflow post I made about this: http://stackoverflow.com/questions/41102298/ios-refused-to-connect-because-it-appears-in-neither-the-connect-src-directive-n
So I have a phonegap app which uses socket.io to handle communication between the server and the app clients.
a typical URL to do so would be:
ws://10.0.1.63:3000/socket.io/?EIO=3&transport=websocket&sid=xTaMJwP3rVy3UnIBAAAi
When it tries to connect it says:
Refused to connect to ws://10.0.1.63:3000/socket.io/?EIO=3&transport=websocket&sid=xTaMJwP3rVy3UnIBAAAi because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy.
Which seems like a really straightforward error, just add the URL to the Content Security Policy right? Wrong. When I do so by setting the CSP to:
<meta http-equiv="Content-Security-Policy" content="
default-src * data: blob: ws: wss:;
style-src * 'unsafe-inline';
script-src * 'unsafe-inline' 'unsafe-eval';
connect-src * ws: wss:;">
I still get the very same error.
I obviously cannot add "ws://10.0.1.63:3000/socket.io/?EIO=3&transport=websocket&sid=xTaMJwP3rVy3UnIBAAAi" because the hash at the end is randomly generated.
How can I make sure that this will work? Or is this a bug in webkit? Because when I tested the exact same code in Chrome / Android it worked just fine, probably because Chrome / Android is more lenient when it comes
to letting through connections. That is ok as long as I am able to fix this. How can I do so?
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161212/d959856f/attachment.html>
More information about the webkit-unassigned
mailing list