Question
TD Bank Group
CA
Last activity: 1 Mar 2018 11:11 EST
Content Security Policy - wss protocol on Self is being blocked
Hi,
We have implemented a custom CSP for our application, and for the connect-src directive, we set it to Self.
We are now seeing items being blocked and reported with a Blocked Content Source of wss://myserver.mydomain.com where myserver.mydomain.com is the same domain as the Pega instance.
We would have expected the "Self" option to match for the wss protocol as well.
If that's not the case, can we provide an "Allowed website" with a wildcard like wss://*.mydomain.com as this domain will change per environment.
Accepted Solution
Pegasystems Inc.
US
Hi Patrick,
The following articles lead me to believe that will work:
https://developers.google.com/web/fundamentals/security/csp/
Hi Patrick,
The following articles lead me to believe that will work:
https://developers.google.com/web/fundamentals/security/csp/
The source list in each directive is flexible. You can specify sources by scheme (data:, https:), or ranging in specificity from hostname-only (example.com, which matches any origin on that host: any scheme, any port) to a fully qualified URI (https://example.com:443, which matches only HTTPS, only example.com, and only port 443). Wildcards are accepted, but only as a scheme, a port, or in the leftmost position of the hostname: *://*.example.com:* would match all subdomains of example.com (but not example.com itself), using any scheme, on any port.
Header always set Content-Security-Policy "default-src 'self' *.tawk.to *.cloudflare.com *.google-analytics.com wss://*.tawk.to
Pegasystems Inc.
US
Hi Patrick,
Based on the following article, it seems you have to explicitly set in as an allowed website: https://outlandish.com/blog/configure-content-security-policy-with-websockets-and-express/
TD Bank Group
CA
This explains it.
My issue is that we are pointing to the same domain, but this domain changes per environment.
Do you know if I could use something like this in the CSP rule:
wss://*.mydomain.com
Accepted Solution
Pegasystems Inc.
US
Hi Patrick,
The following articles lead me to believe that will work:
https://developers.google.com/web/fundamentals/security/csp/
Hi Patrick,
The following articles lead me to believe that will work:
https://developers.google.com/web/fundamentals/security/csp/
The source list in each directive is flexible. You can specify sources by scheme (data:, https:), or ranging in specificity from hostname-only (example.com, which matches any origin on that host: any scheme, any port) to a fully qualified URI (https://example.com:443, which matches only HTTPS, only example.com, and only port 443). Wildcards are accepted, but only as a scheme, a port, or in the leftmost position of the hostname: *://*.example.com:* would match all subdomains of example.com (but not example.com itself), using any scheme, on any port.
Header always set Content-Security-Policy "default-src 'self' *.tawk.to *.cloudflare.com *.google-analytics.com wss://*.tawk.to