Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSP: connect-src 'self' and websockets #7

Closed
mikewest opened this issue Oct 7, 2015 · 18 comments
Closed

CSP: connect-src 'self' and websockets #7

mikewest opened this issue Oct 7, 2015 · 18 comments
Labels

Comments

@mikewest
Copy link
Member

mikewest commented Oct 7, 2015

From @klings on September 28, 2015 19:25

Declaring a CSP with connect-src ‘self’ will not allow websockets back to the same host/port, since they're not same origin. This might come as a surprise to developers that haven't studied the CSP specification in detail and have a firm grasp of the same origin security model.

One option could be to add a note to the spec to clarify that this is the intended behaviour. Another option could be to make an exception for connect-src 'self', and allow ws(s): requests to same host/port.

I'm not sure what the security implications could be of the latter, but it might be worth some consideration.

Copied from original issue: w3c/webappsec#489

@zdexter
Copy link

zdexter commented Oct 23, 2015

I'm not sure this should be intended behavior - what about the "load web page in browser, then make websocket connection" use case? Nobody wants to enumerate all possible websocket origins in server configuration files or switch on development/production/staging hostnames... that's the utility of 'self' in the first place. Described scenario here: w3c/webappsec#506.

@mikewest
Copy link
Member Author

Poked at this in 0e81d81, WDYT?

@klings
Copy link

klings commented Oct 28, 2015

Thanks for looking into this! This should do the trick for same host/port web sockets.

@amacneil
Copy link

Would it also be possible to support ws: if the current protocol is http: and the CSP allows connect-src 'self'? It sounds like as written self will only support wss: if the current page was served via http.

As an example, it would be useful to serve a page at http://localhost:3000/ using connect-src 'self', and have this behave as if the CSP (under current rules) had specified connect-src 'self' ws://localhost:3000.

@thapet
Copy link

thapet commented Jun 8, 2017

This seems still to be an issue - like amacneil described. I have tried with connect-src 'self', but ws request to same origin (host and port) does not work (when testing from remote machine).
I have tried with Chrome v.59 and Edge v.14.

@annevk
Copy link
Member

annevk commented Feb 23, 2018

Reopening this per recent comment. It seems this wasn't fixed properly yet.

@annevk annevk reopened this Feb 23, 2018
@emilfihlman
Copy link

Issue opened at: https://bugs.chromium.org/p/chromium/issues/detail?id=815142

@emilfihlman
Copy link

bradbishop pushed a commit to openbmc/bmcweb that referenced this issue Dec 4, 2018
This changes the HTTP response header X-Content-Security-Policy
to Content-Security-Policy and changes its value to allow WebSocket
upgrades.

The X-Content-Security-Policy header is deprecated per
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP and
https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet.

The problem with using the default-src (or connect-src) directive with
the 'self' value when upgrading from https: to wss: is that is blocks
the upgrade.  The problem is described here:
w3c/webappsec-csp#7

A similar problem happens with the KVM video (with media-src).

I was unable to find an authoritative fix for this problem.

Tested: pending

Change-Id: Ia8df1e8c3900d81242a5e043ee0601e259bbc9d2
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
@Thesephi
Copy link

Sincere apologies if I'm asking in a wrong thread, but I think Safari also has the same issue as specified in a previous comment by thabet (although I tested with https & wss) (I tested on Safari 12.1.1 and Safari Technology Preview Release 87 (Safari 13.0, WebKit 14608.1.33.1)). Internet search didn't result in productive findings, so I decided to ask here. Could anyone else reproduce?

wss_https_safari

@ratiofu
Copy link

ratiofu commented Sep 8, 2019

@Thesephi I can reproduce in Safari 12.1.2 with CSP connect-src 'self'. In fact, because of that error, I landed here. I filed WebKit bug 201591

@MoxxiManagarm
Copy link

I just came here because of the same. Still reproducable with Safari 13. Other browser accept wss to self with connect-src 'self' defined.

@mikewest
Copy link
Member Author

I believe the spec is correct, and covered by https://wpt.fyi/results/content-security-policy/connect-src/connect-src-websocket-self.sub.html?label=experimental&label=master&aligned. Closing this out again, as the bug against WebKit is the right place to comment on priority.

/cc @johnwilander

timshannon added a commit to timshannon/threenamesinahat that referenced this issue May 20, 2020
AlanGreene added a commit to AlanGreene/dashboard that referenced this issue Nov 18, 2020
Safari has not correctly implemented the `connect-src` directive
according to the (updated) Content Security Policy specification.

This means that `connect-src: 'self'` does not include websocket
connections to the same host.

See w3c/webappsec-csp#7 and
https://bugs.webkit.org/show_bug.cgi?id=201591 for details.

Explicitly allow `ws:` and `wss:` in `connect-src` to work around
this for now. Hopefully we can revisit this and remove them when
Safari updates their implementation to follow the spec for this case.
carhartl added a commit to digitalservicebund/mitra-frontend that referenced this issue Nov 18, 2021
We need to allow the ws: protocol explicitly:
w3c/webappsec-csp#7

Should we bring back handlebars and only apply the CSP in prod?
stefanw added a commit to okfde/fragdenstaat.de-ansible that referenced this issue Dec 10, 2021
connect-src: self may not allow wss:// in some browsers, see:
w3c/webappsec-csp#7
ngyikp added a commit to chicory-pizza/chicory-data that referenced this issue Mar 11, 2022
@mkurz
Copy link

mkurz commented Apr 1, 2022

There is finally work going on to get this fixed in Safari: https://bugs.webkit.org/show_bug.cgi?id=235873 (before it was https://bugs.webkit.org/show_bug.cgi?id=201591, which was marked as duplicate)

@mkurz
Copy link

mkurz commented Apr 4, 2022

https://bugs.webkit.org/show_bug.cgi?id=235873 is finally resolved now, so this should be fixed in the next Safari release 16 (maybe even 15.5 or 15.6 if those will happen)

tamuratak added a commit to tamuratak/LaTeX-Workshop that referenced this issue May 28, 2023
@silverwind
Copy link

silverwind commented Nov 20, 2023

Maybe it's a regression but I do observe this exact issue in Firefox 120.0b9 where connect-src: self does not allow ws://localhost:3000 when origin is http://localhost:3000. Works fine on 119.0.1.

@mkurz
Copy link

mkurz commented Nov 20, 2023

@silverwind I think you should report that to the firefox bug tracker?

@silverwind
Copy link

I will if I reproduce again. Strangely enough downgrading and upgrading Firefox seems to have resolved it for now.

@skyzyx
Copy link

skyzyx commented Jun 6, 2024

I spent way too much time today going spelunking through issues and patch notes this morning.

The WPT test for this was added in September 2018.

  • It was already fixed in Firefox Dev and Stable. [source] (September 2018)

  • It was fixed in Chrome 71.0.3559.6 (Dev) when it was announced on the Chrome blog (commit 15b59a4d4fe5524b5cb006747831aa1c47012e75). [source, source] (September 2018)

  • It was fixed in WebKit r292266, which was released in Safari Technology Preview 144, although it didn't make the release notes until 145 was released a week later [source, source] (May 2022)

  • That WebKit fix made it into Safari 16.0. [source] (September 2022)

  • Edge 17 (EdgeHTML) already had support when the test was written. It inherited that support when adopting Chromium in 2019.

  • With Opera switching to Chromium in 2013, I would assume that it received patches from upstream Chromium (September 2018) when that bug was fixed. (It is not tested as part of the WPT test suite.)

xi added a commit to xi/laneya2 that referenced this issue Sep 26, 2024
issue for websocket (see w3c/webappsec-csp#7)
not that relevant for this page anyway
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests