TechQA.

Safari doesn't understand my Content-Security-Policy headers

2k views Asked by At

Every other browser understands when I say:

add_header Content-Security-Policy default-src 'self'; script-src 'self' unsafe-inline; connect-src wss://mysite.com;

In my headers. But Safari says:

Refused to connect to wws://mysite because it doesn't not appear in the connect-src directive in Content Security Policy. [Error] SecurityError (DOM Exception 18): The operation is insecure. (anonymous function) (myjavascripturl.js)

Why does Safari not understand my Content-Security-Policy headers?

nginx websocket safari http-headers content-security-policy
Original Q&A
1

There are 1 answers

0
Scott Helme On

In the policy you have provided there are no single quotes around unsafe-inline which are required. Change this:

add_header Content-Security-Policy default-src 'self'; script-src 'self' unsafe-inline; connect-src wss://mysite.com;

To this:

add_header Content-Security-Policy default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src wss://mysite.com;
-------------------------------------------------------------------------^-------------^

That could be affecting the parsing of the policy.


The other concern is in the error message you provided. 

Refused to connect to wws://mysite
-----------------------^

Do you have a typo somewhere in your code, should this be wss?

Related Questions in NGINX

Related Questions in WEBSOCKET

Related Questions in SAFARI

Related Questions in HTTP-HEADERS

Related Questions in CONTENT-SECURITY-POLICY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions