Question

3
Replies
2924
Views
 Patrick Capron (PatrickC8660)
TD Bank Group
Solutions Design IT Specialist
TD Bank Group
CA
PatrickC8660 Member since 2014 26 posts
TD Bank Group
Posted: February 27, 2018
Last activity: March 1, 2018
Posted: 27 Feb 2018 14:42 EST
Last activity: 1 Mar 2018 11:11 EST
Closed
Solved

Content Security Policy - wss protocol on Self is being blocked

Hi,

We have implemented a custom CSP for our application, and for the connect-src directive, we set it to Self.

We are now seeing items being blocked and reported with a Blocked Content Source of wss://myserver.mydomain.com where myserver.mydomain.com is the same domain as the Pega instance.

We would have expected the "Self" option to match for the wss protocol as well.

If that's not the case, can we provide an "Allowed website" with a wildcard like wss://*.mydomain.com as this domain will change per environment.

Security
Moderation Team has archived post, This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.
Posted: 3 years ago
Posted: 28 Feb 2018 9:17 EST
Patrick Capron (PatrickC8660)
TD Bank Group
Solutions Design IT Specialist
TD Bank Group
CA

This explains it.


My issue is that we are pointing to the same domain, but this domain changes per environment.


Do you know if I could use something like this in the CSP rule:


wss://*.mydomain.com

Accepted Solution

Posted: 3 years ago
Posted: 28 Feb 2018 14:28 EST
Brad Tainter (Br@dTainter_GCS)
PEGA
Client Solutions Fellow
Pegasystems Inc.
US

 


Hi Patrick,


The following articles lead me to believe that will work:


https://developers.google.com/web/fundamentals/security/csp/

Show More

 


Hi Patrick,


The following articles lead me to believe that will work:


https://developers.google.com/web/fundamentals/security/csp/


The source list in each directive is flexible. You can specify sources by scheme (data:, https:), or ranging in specificity from hostname-only (example.com, which matches any origin on that host: any scheme, any port) to a fully qualified URI (https://example.com:443, which matches only HTTPS, only example.com, and only port 443). Wildcards are accepted, but only as a scheme, a port, or in the leftmost position of the hostname: *://*.example.com:* would match all subdomains of example.com (but not example.com itself), using any scheme, on any port.


https://forums.digitalpoint.com/threads/apache-content-security-policy-csp-header-in-htaccess-how-to-allow-multiple-domains-wildcard.2809419/



Header always set Content-Security-Policy "default-src 'self' *.tawk.to *.cloudflare.com *.google-analytics.com wss://*.tawk.to



Show Less