[CSP2] connect-src 'self' and websockets

Webappsec people,

 

I’m the maintainer of the NWebsec security header library for ASP.NET, and
an issue with CSP connect-src ‘self’ was recently brought to my attention.
Declaring the ‘self’ source will not allow websockets back to the same host,
I assume it’s because it’s not the same origin since the scheme differs.
Firefox and Chrome/Opera all behave the same, I’ve tested them just now in
their latest (stable) versions.

 

Would it make sense to allow same host websockets when declaring connect-src
‘self’? I believe this would be intuitive CSP  behaviour for adopters of the
header. One can easily get the impression that this is how it works when
reading the spec.

 

Any thoughts?

 

Thanks in advance,

 

André N. Klingsheim

https://github.com/NWebsec/NWebsec

Received on Monday, 28 September 2015 03:07:43 UTC