[Webkit-unassigned] [Bug 201591] New: CSP "connect-src" 'self' does not match web socket scheme as per spec
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Sep 8 12:01:19 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=201591
Bug ID: 201591
Summary: CSP "connect-src" 'self' does not match web socket
scheme as per spec
Product: WebKit
Version: Safari 12
Hardware: Macintosh
OS: macOS 10.14
Status: NEW
Severity: Normal
Priority: P2
Component: New Bugs
Assignee: webkit-unassigned at lists.webkit.org
Reporter: webkitbugs at thomasjung.com
As per CSP spec paragraph 6.6.2.6, point 4. `self` match, 2nd match condition (https://w3c.github.io/webappsec-csp/#match-url-to-source-expression):
> "'self'", return "Matches" if one or more of the following conditions is met:
> ...
> 2. origin’s host is the same as url’s host, origin’s port and url’s port are either the same or the default ports for their respective schemes, and one or more of the following conditions is met:
> - url’s scheme is "https" or "wss"
> - origin’s scheme is "http" and url’s scheme is "http" or "ws"
This appears to not be working correctly in Safari, where I have a CSP of "connect-src 'self'" for a service worker, but the service worker refuses to connect to a web socket on the same host and port, logging error
> Refused to connect to wss://SOMEHOST/ws because it does not appear in the connect-src directive of the Content Security Policy.
Chromium had the same issue, fixed about a year ago: https://bugs.chromium.org/p/chromium/issues/detail?id=815142
Related W3C CSP Issue: https://github.com/w3c/webappsec-csp/issues/7
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190908/ecb56a34/attachment.html>
More information about the webkit-unassigned
mailing list