165754 2016-12-12 05:57:34 -0800 iOS Refused to connect because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy 2016-12-15 14:14:20 -0800 1 1 1 Unclassified WebKit New Bugs Safari 10 All iOS 10 RESOLVED INVALID P2 Major --- 1 erik.brandsma webkit-unassigned oldest_to_newest 1259022 0 erik.brandsma 2016-12-12 05:57:34 -0800 Info: - iOS 10.1.1 - iPhone 5s This also happens on: - MacOS Sierra 10.12.1 - Safari Version 10.0.1 (12602.2.14.0.7) This occurs probably due to: https://webkit.org/blog/6830/a-refined-content-security-policy/ Stackoverflow post I made about this: http://stackoverflow.com/questions/41102298/ios-refused-to-connect-because-it-appears-in-neither-the-connect-src-directive-n So I have a phonegap app which uses socket.io to handle communication between the server and the app clients. a typical URL to do so would be: ws://10.0.1.63:3000/socket.io/?EIO=3&transport=websocket&sid=xTaMJwP3rVy3UnIBAAAi When it tries to connect it says: Refused to connect to ws://10.0.1.63:3000/socket.io/?EIO=3&transport=websocket&sid=xTaMJwP3rVy3UnIBAAAi because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy. Which seems like a really straightforward error, just add the URL to the Content Security Policy right? Wrong. When I do so by setting the CSP to: <meta http-equiv="Content-Security-Policy" content=" default-src * data: blob: ws: wss:; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * ws: wss:;"> I still get the very same error. I obviously cannot add "ws://10.0.1.63:3000/socket.io/?EIO=3&transport=websocket&sid=xTaMJwP3rVy3UnIBAAAi" because the hash at the end is randomly generated. How can I make sure that this will work? Or is this a bug in webkit? Because when I tested the exact same code in Chrome / Android it worked just fine, probably because Chrome / Android is more lenient when it comes to letting through connections. That is ok as long as I am able to fix this. How can I do so? 1260257 1 erik.brandsma 2016-12-15 14:14:20 -0800 This is already fixed, the problem was that I had two Content-Security-Policy meta tags in the <head></head> section. The later one was more strict causing it to refuse the ws: connection