Sunday, May 12, 2024
Homepage · websocket
 Popular · Latest · Hot · Upcoming
147
rated 0 times [  150] [ 3]  / answers: 1 / hits: 17085  / 7 Years ago, sat, june 24, 2017, 12:00:00

Trying to open a WebSocket connection from a Browser to a server running on localhost:9000 here is my JS code:



$( document ).ready(function() {



    var url = ws://localhost:9000/myapp;

    var connection = new WebSocket(url);



    connection.onopen = function() {

        console.log('WebSocket Open');

    };

    connection.onerror = function(error) {

        console.log('WebSocket Error ', error);

    };

    connection.onmessage = function(event) {

        console.log('WebSocket Msg ', event);

    }



});


But the browser is refusing to accept the connection due to Content-security policy:




Content Security Policy: The page's settings blocked the loading of a
resource at ws://localhost:9000/myapp (default-src
http://localhost:9000).




I thought that openning a websocket connection to self in this case localhost would be acceptable but both Chrome and FF are denying the connection. I thought of placing 



<meta http-equiv=Content-Security-Policy content=default-src http: ws: connect-src ws:>


but it didn't fix the problem.



These are the headers being returned by the Server:




HTTP/1.1 200 OK

Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin

X-Frame-Options: DENY

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

Content-Security-Policy: default-src 'self'

X-Permitted-Cross-Domain-Policies: master-only

Date: Sat, 24 Jun 2017 03:39:10 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 2130



What could be causing the connection refusal ?


More From » websocket
 Answers
390

It seems like that page must be getting served with a Content-Security-Policy response header that has default-src http://localhost:9000 in its value.



Given that you can never use a CSP directive somewhere to apply a more-liberal policy than one applied from somewhere else, if you have a strict default-src http://localhost:9000 policy in the CSP header, it’ll be applied instead of any more-liberal policy you might have specified using a meta element in a document.



See the discussion about multiple policies in the CSP spec:




The impact is that adding additional policies to the list of policies to enforce can only further restrict the capabilities of the protected resource.




So I think you may need to change value of the Content-Security-Policy header to have default-src http: ws: connect-src ws:. You can’t do it with just a meta element.


[#57321] Thursday, June 22, 2017, 7 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
lindsay
Add To Favorites
Follow
Total Points: 402
Total Questions: 109
Total Answers: 109
Location: Tuvalu
Member since Sat, Feb 11, 2023
1 Year ago
;