lusca icon indicating copy to clipboard operation
lusca copied to clipboard

Published 20 hours ago verified publisher icon krakenjs

socket.io Content-Security-Policy Host

Open theage opened this issue 8 years ago • 3 comments

What is the recommended practice to define a sensible CSP to allow socket.io requests?

The host name may be known only upon receiving a request with the Host:, so I cannot configure the CSP string statically because 'self' does not apply to web sockets on the ws:// / wss:// protocols.

theage avatar Jul 27 '16 17:07 theage

Hey @theage

You should have no problem adding your ws:// uri to the connect-src CSP directive in lusca. So you would have something like:

...
"connect-src": "'self' ws://<hostname> wss://<hostname>"
...

shaunwarman avatar Oct 14 '16 16:10 shaunwarman

@shaunwarman, the issue is that the hostname is dynamically inferred from the Host: header (at runtime), but lusca wants a hard-coded header, so basically I have to send the CSP header myself rather than have lusca do it, unless there is a way to have a function resolve it.

"connect-src": () => { ... return `'self' ws://${request.hostname} wss://${request.hostname}` }

theage avatar Oct 19 '16 15:10 theage

Hmm interesting. Could you elaborate on the dynamic host? Is this an auto-scaled environment where the ws:// server name relys on host machine?

shaunwarman avatar Oct 19 '16 15:10 shaunwarman