Steps to reproduce
Steps to reproduce:
- Open a page containing the following CSP (either meta tag or HTTP Header):
connect-src 'self' wss://*.example.com
- Page attempts the following:
Error in the console:
Resource violated directive 'connect-src 'self'wss://*.example.com' in <meta http-equiv="Content-Security-Policy">: wss://service.example.com:443/websocket. Resource will be blocked.
Connection is allowed. 443 is the default port for the
wss scheme so according to rule 4.9. of Section 4.2.2 “Matching Source Expressions” of the CSP2 Spec it shouldn’t be disallowed:
If the source expression does not contain a port-part and url-port is not the default port for url-scheme, then return does not match.
Comments and activity
Here is a fiddle for this: https://jsfiddle.net/9qzhx4pa/5/
Here is a slight update where you can better play with the CSP header content.
- Microsoft Edge Team
Changed Assigned To to “Brad E.”
Changed Assigned To from “Brad E.” to “Steven K.”
Changed Assigned To to “Venkat K.”
Changed Assigned To to “David G.”