socket.io Content-Security-Policy Host

[theage]

What is the recommended practice to define a sensible CSP to allow socket.io requests?

The host name may be known only upon receiving a request with the Host:, so I cannot configure the CSP string statically because 'self' does not apply to web sockets on the ws:// / wss:// protocols.

[shaunwarman]

Hey @theage

You should have no problem adding your ws:// uri to the connect-src CSP directive in lusca. So you would have something like:

...
"connect-src": "'self' ws://<hostname> wss://<hostname>"
...

[theage]

@shaunwarman, the issue is that the hostname is dynamically inferred from the Host: header (at runtime), but lusca wants a hard-coded header, so basically I have to send the CSP header myself rather than have lusca do it, unless there is a way to have a function resolve it.

"connect-src": () => { ... return `'self' ws://${request.hostname} wss://${request.hostname}` }

[shaunwarman]

Hmm interesting. Could you elaborate on the dynamic host? Is this an auto-scaled environment where the ws:// server name relys on host machine?