Hello All, Recently found limitation of current CSP implementation [1]
Note: connect-src 'self' does not resolve to websocket schemas in all browsers, more info: https://github.com/w3c/webappsec-csp/issues/7 I believe this should be addressed or at least documented (Seems to fail in Safari only) I'm going to workaround this in our source code [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src On Wed, 25 Mar 2020 at 18:07, Maxim Solodovnik <solomax...@gmail.com> wrote: > Hello All, > > it seem it was false alarm > sorry for the noise :( > > On Tue, 24 Mar 2020 at 15:19, Maxim Solodovnik <solomax...@gmail.com> > wrote: > >> Hmmm, >> >> I'll check. >> The errors are definitely in DevTools (I'm using report-only CSP) >> Not sure if it is first or second time >> Will double-check and report back >> >> On Tue, 24 Mar 2020 at 15:17, Emond Papegaaij <emond.papega...@gmail.com> >> wrote: >> > >> > Hi Maxim, >> > >> > Are you sure? I just tried the examples and CSS resources do have >> > nonces. Maybe you're seeing the same errors as I when opening the dev >> > tools? Somehow Chrome is unable to load the css resources in the dev >> > tools when the dev tools are opened after loading the page. After a >> > refresh, it's fine again. >> > >> > Emond >> > >> > On Tue, Mar 24, 2020 at 8:53 AM Maxim Solodovnik <solomax...@gmail.com> >> wrote: >> > > >> > > Hello All, >> > > >> > > just found regression with CSP >> > > nonce for CSS resources seems to be not added, which results security >> errors >> > > Can it be caused by latest code optimizations? >> > > >> > > -- >> > > WBR >> > > Maxim aka solomax >> >> >> >> -- >> WBR >> Maxim aka solomax >> > > > -- > WBR > Maxim aka solomax > -- Best regards, Maxim