Info: - iOS 10.1.1 - iPhone 5s This also happens on: - MacOS Sierra 10.12.1 - Safari Version 10.0.1 (12602.2.14.0.7) This occurs probably due to: https://webkit.org/blog/6830/a-refined-content-security-policy/ Stackoverflow post I made about this: http://stackoverflow.com/questions/41102298/ios-refused-to-connect-because-it-appears-in-neither-the-connect-src-directive-n So I have a phonegap app which uses socket.io to handle communication between the server and the app clients. a typical URL to do so would be: ws://10.0.1.63:3000/socket.io/?EIO=3&transport=websocket&sid=xTaMJwP3rVy3UnIBAAAi When it tries to connect it says: Refused to connect to ws://10.0.1.63:3000/socket.io/?EIO=3&transport=websocket&sid=xTaMJwP3rVy3UnIBAAAi because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy. Which seems like a really straightforward error, just add the URL to the Content Security Policy right? Wrong. When I do so by setting the CSP to: <meta http-equiv="Content-Security-Policy" content=" default-src * data: blob: ws: wss:; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * ws: wss:;"> I still get the very same error. I obviously cannot add "ws://10.0.1.63:3000/socket.io/?EIO=3&transport=websocket&sid=xTaMJwP3rVy3UnIBAAAi" because the hash at the end is randomly generated. How can I make sure that this will work? Or is this a bug in webkit? Because when I tested the exact same code in Chrome / Android it worked just fine, probably because Chrome / Android is more lenient when it comes to letting through connections. That is ok as long as I am able to fix this. How can I do so?