W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

[CSP2] connect-src 'self' and websockets

From: André N. Klingsheim <andre.klingsheim@owasp.org>
Date: Sun, 27 Sep 2015 23:46:58 +0200
To: <public-webappsec@w3.org>
Message-ID: <007401d0f96e$096be890$1c43b9b0$@owasp.org>
Webappsec people,


I’m the maintainer of the NWebsec security header library for ASP.NET, and
an issue with CSP connect-src ‘self’ was recently brought to my attention.
Declaring the ‘self’ source will not allow websockets back to the same host,
I assume it’s because it’s not the same origin since the scheme differs.
Firefox and Chrome/Opera all behave the same, I’ve tested them just now in
their latest (stable) versions.


Would it make sense to allow same host websockets when declaring connect-src
‘self’? I believe this would be intuitive CSP  behaviour for adopters of the
header. One can easily get the impression that this is how it works when
reading the spec.


Any thoughts?


Thanks in advance,


André N. Klingsheim

Received on Monday, 28 September 2015 03:07:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:51 UTC