Question
Content Security Policy - wss protocol on Self is being blocked
Hi,
We have implemented a custom CSP for our application, and for the connect-src directive, we set it to Self.
We are now seeing items being blocked and reported with a Blocked Content Source of wss://myserver.mydomain.com where myserver.mydomain.com is the same domain as the Pega instance.
We would have expected the "Self" option to match for the wss protocol as well.
If that's not the case, can we provide an "Allowed website" with a wildcard like wss://*.mydomain.com as this domain will change per environment.
Hi Patrick,
Based on the following article, it seems you have to explicitly set in as an allowed website: https://outlandish.com/blog/configure-content-security-policy-with-websockets-and-express/