violates the following Content Security Policy directive when i use a Web Socket "Custom Nodes" option

[vincentlg]

✅ Prerequisites

const customNodeOptions = {
rpcUrl: 'wss://rpc-mainnet.maticvigil.com/ws',
chainId: 137
}

🐛 Description

Refused to connect to 'wss://rpc-mainnet.maticvigil.com/ws' because it violates the following Content Security Policy directive: "connect-src 'self' https://.magic.link/ https://.fortmatic.com/ https://.alchemyapi.io/ wss://.ws.alchemyapi.io/ https://.infura.io/ https://.xdai.quiknode.pro ...

🧩 Steps to Reproduce

Subscribe to an event with the web3 magic provider configured as above.

🌎 Environment

Software	Version(s)
magic-sdk	"magic-sdk": "^4.2.1"

The doc does not describe any restriction on WS RPC
https://docs.magic.link/blockchains/ethereum#configure-custom-nodes

But it seems you need whitelists one or more of this "official" web socket RPC provider

wss://rpc-mainnet.maticvigil.com/ws or
wss://rpc-mainnet.matic.quiknode.pro or
wss://ws-matic-mainnet.chainstacklabs.com or
wss://matic-mainnet-full-ws.bwarelabs.com or
wss://matic-mainnet-archive-ws.bwarelabs.comor
wss://ws-mainnet.matic.network

Thank you

[smithki]

Our team will need to add this node to our CSP. Someone will ping this thread when it's complete.

[hcote]

@vincentlg Those URLs listed have been added

[vincentlg]

Thank you for your intervention, unfortunately I guess a problem persists on your side

Access to XMLHttpRequest at 'wss://rpc-mainnet.maticvigil.com/ws' from origin 'https://auth.magic.link' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, chrome-untrusted, https.

[smithki]

Looks like this new error is related to our CORS setup, will forward this to our infrastructure team and have them take a look.

[Genzan]

Good evening

I'm having the same problem when connecting to my custom node

const customNodeOptions = {
rpcUrl: 'http://189.197.77.190:8545',
chainId: 10
}

But having this error on console.

Content Security Policy: The page’s settings blocked the loading of a resource at http://189.197.77.190:8545/ (“connect-src”).

[vincentlg]

Looks like this new error is related to our CORS setup, will forward this to our infrastructure team and have them take a look.

👀 Any news from the infrastructure team ? :)

[smithki]

👀 Any news from the infrastructure team ? :)

@vincentlg

Here's the current status: we don't have support for Web3 WebSocket subscriptions at this time. It's on our roadmap but I don't have an estimated release date for you.

[smithki]

Good evening

I'm having the same problem when connecting to my custom node

const customNodeOptions = {
rpcUrl: 'http://189.197.77.190:8545',
chainId: 10
}

But having this error on console.

Content Security Policy: The page’s settings blocked the loading of a resource at http://189.197.77.190:8545/ (“connect-src”).

@Genzan We allow localhost origins for testing custom node configurations. You can work around this by mapping that IP address to localhost in your etc/hosts file.

[Genzan]

Good evening
I'm having the same problem when connecting to my custom node
const customNodeOptions = {
rpcUrl: 'http://189.197.77.190:8545',
chainId: 10
}
But having this error on console.
Content Security Policy: The page’s settings blocked the loading of a resource at http://189.197.77.190:8545/ (“connect-src”).

@Genzan We allow localhost origins for testing custom node configurations. You can work around this by mapping that IP address to localhost in your etc/hosts file.

Im using the react example of yours as base to do these test (https://magic.link/posts/magic-react-express), also the ip 189.197.77.190 is a server diferent of my local computer. Will read about these host file as I have never work with one before, and tell you the results

[Genzan]

Already changed my Host file, but same problem persist

[smithki]

Already changed my Host file, but same problem persist

You must also configure your Magic instance with a localhost origin given to the network.rpcUrl field. Unfortunately, that parameter cannot be an IP address as a matter of security.

If your custom node server has a DNS-resolvable domain and HTTPS, we can discuss allowing it through our CSP, but typically we only support public, known providers in order to maintain a high-level of user trust.

[smithki]

@Genzan Please let me know if your concern has been resolved. If so, feel free to close the issue.

[Genzan]

We are currently working on getting a domain so I can pass to you, if you could give me a mail where I can summit it once it has been compleated I would be Happy to do so