http-headers icon indicating copy to clipboard operation
http-headers copied to clipboard
verified publisher icon riverside

Add ws: and wss: schemes

Open dannyweldon opened this issue 1 year ago • 1 comments

These schemes are used by connect-src.

References:

https://content-security-policy.com/connect-src/ (Search for WebSocket) https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#scheme-source https://developer.mozilla.org/en-US/docs/Web/URI/Schemes

dannyweldon avatar Jan 08 '25 08:01 dannyweldon

Some notes to consider before merging:

I put these at the end of the scheme list but you may want to put them higher up in the list. These schemes are only really used by connect-src so adding them to every directive may create too much unnecessary clutter. If you search for WebSocket on this page, it only comes up against connect-src, but I could be wrong:

https://content-security-policy.com/

Without this commit, it is possible to work around this just by putting "ws:" or "wss:" directly in the edit field.

dannyweldon avatar Jan 08 '25 08:01 dannyweldon