I attempted to add an "additional source" under "connect-src" using the wss:// protocol but the form rejects it. "Invalid domain or protocol provided."

Comments

kevinedmister created an issue. See original summary.

gapple’s picture

gapple
he/they
Primary language English
commented

Current behaviour is to only allow http and https protocols in a policy
https://cgit.drupalcode.org/csp/tree/src/Form/CspSettingsForm.php?id=8.x...

I'm going to have to dig a bit to verify this, but my current understanding is that wss: should be allowed by specifying https:.

gapple’s picture

gapple
he/they
Primary language English
commented
Component: Code » Documentation
Category: Feature request » Task

There's currently an open issue on the CSP spec - #332: Remove mentions of the ws\wss schemes in CSP

Unless a current browser is blocking web socket connections with a policy like connect-src: https://example.org, but allowing them with connect-src: wss://example.org, then I think this just needs to be documented.

gapple’s picture

gapple
he/they
Primary language English
commented
Status: Active » Fixed

I've added an FAQ page to the module documentation with a note on this issue.
https://www.drupal.org/docs/8/modules/content-security-policy/frequently...

Please re-open with more information if you're still encountering issues.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

dorficus’s picture

dorficus commented

I'm still running into this issue getting the following error:
Refused to connect to 'wss://some.socket.com/api/v1/client/ws' because it violates the following Content Security Policy directive: "connect-src 'self' https://*.socket.com".

I'm going to reopen this issue for further discussion.