201591 2019-09-08 12:01:19 -0700 CSP "connect-src" 'self' does not match web socket scheme as per spec 2022-03-15 13:37:53 -0700 1 1 1 Unclassified WebKit DOM WebKit Nightly Build All All RESOLVED DUPLICATE 235873 InRadar P2 Normal --- 1 webkitbugs webkit-unassigned achristensen beidson bfulgham cheshire137 dbates han j+webkit-bugzilla katherine_cheney kris laurens.von.assel michael-rotarius m.kurz+webkitbugs moritz.mahringer otbotr pgriffis webkit-bug-importer w.janson oldest_to_newest 1569017 0 webkitbugs 2019-09-08 12:01:19 -0700 As per CSP spec paragraph 6.6.2.6, point 4. `self` match, 2nd match condition (https://w3c.github.io/webappsec-csp/#match-url-to-source-expression): > "'self'", return "Matches" if one or more of the following conditions is met: > ... > 2. origin’s host is the same as url’s host, origin’s port and url’s port are either the same or the default ports for their respective schemes, and one or more of the following conditions is met: > - url’s scheme is "https" or "wss" > - origin’s scheme is "http" and url’s scheme is "http" or "ws" This appears to not be working correctly in Safari, where I have a CSP of "connect-src 'self'" for a service worker, but the service worker refuses to connect to a web socket on the same host and port, logging error > Refused to connect to wss://SOMEHOST/ws because it does not appear in the connect-src directive of the Content Security Policy. Chromium had the same issue, fixed about a year ago: https://bugs.chromium.org/p/chromium/issues/detail?id=815142 Related W3C CSP Issue: https://github.com/w3c/webappsec-csp/issues/7 1569581 1 webkit-bug-importer 2019-09-10 10:29:17 -0700 <rdar://problem/55227268> 1596749 2 moritz.mahringer 2019-12-08 18:13:47 -0800 I encountered this bug today and verified that it exists in Safari but works as intended (by the specification) in Chrome and Firefox. Luckily we catched this with a report-only directive. 1728539 3 michael-rotarius 2021-02-12 05:20:25 -0800 Still not fixed in Safari 14. 1851299 4 cheshire137 2022-03-15 08:18:02 -0700 Still present in Safari 15.3. 1851433 5 pgriffis 2022-03-15 12:31:55 -0700 bug 235873 probably does fix this. 1851473 6 bfulgham 2022-03-15 13:37:53 -0700 *** This bug has been marked as a duplicate of bug 235873 ***