Webappsec people, I’m the maintainer of the NWebsec security header library for ASP.NET, and an issue with CSP connect-src ‘self’ was recently brought to my attention. Declaring the ‘self’ source will not allow websockets back to the same host, I assume it’s because it’s not the same origin since the scheme differs. Firefox and Chrome/Opera all behave the same, I’ve tested them just now in their latest (stable) versions. Would it make sense to allow same host websockets when declaring connect-src ‘self’? I believe this would be intuitive CSP behaviour for adopters of the header. One can easily get the impression that this is how it works when reading the spec. Any thoughts? Thanks in advance, André N. Klingsheim https://github.com/NWebsec/NWebsecReceived on Monday, 28 September 2015 03:07:43 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC