<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - iOS Refused to connect because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy"
href="https://bugs.webkit.org/show_bug.cgi?id=165754">165754</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>iOS Refused to connect because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>Safari 10
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>iOS 10
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Major
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>New Bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>erik.brandsma@outlook.com
</td>
</tr></table>
<p>
<div>
<pre>Info:
- iOS 10.1.1
- iPhone 5s
This also happens on:
- MacOS Sierra 10.12.1
- Safari Version 10.0.1 (12602.2.14.0.7)
This occurs probably due to: <a href="https://webkit.org/blog/6830/a-refined-content-security-policy/">https://webkit.org/blog/6830/a-refined-content-security-policy/</a>
Stackoverflow post I made about this: <a href="http://stackoverflow.com/questions/41102298/ios-refused-to-connect-because-it-appears-in-neither-the-connect-src-directive-n">http://stackoverflow.com/questions/41102298/ios-refused-to-connect-because-it-appears-in-neither-the-connect-src-directive-n</a>
So I have a phonegap app which uses socket.io to handle communication between the server and the app clients.
a typical URL to do so would be:
ws://10.0.1.63:3000/socket.io/?EIO=3&transport=websocket&sid=xTaMJwP3rVy3UnIBAAAi
When it tries to connect it says:
Refused to connect to ws://10.0.1.63:3000/socket.io/?EIO=3&transport=websocket&sid=xTaMJwP3rVy3UnIBAAAi because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy.
Which seems like a really straightforward error, just add the URL to the Content Security Policy right? Wrong. When I do so by setting the CSP to:
<meta http-equiv="Content-Security-Policy" content="
default-src * data: blob: ws: wss:;
style-src * 'unsafe-inline';
script-src * 'unsafe-inline' 'unsafe-eval';
connect-src * ws: wss:;">
I still get the very same error.
I obviously cannot add "ws://10.0.1.63:3000/socket.io/?EIO=3&transport=websocket&sid=xTaMJwP3rVy3UnIBAAAi" because the hash at the end is randomly generated.
How can I make sure that this will work? Or is this a bug in webkit? Because when I tested the exact same code in Chrome / Android it worked just fine, probably because Chrome / Android is more lenient when it comes
to letting through connections. That is ok as long as I am able to fix this. How can I do so?</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>