I want to add a new header Content-Security-Policy to my nginx conf in order to improve security. I’ve added all external sources and everything works fine except for the chatbot which is infobip. It uses wss protocol and for some reason I can’t find the right way to configure it.
And this is my the header in nginx.conf
add_header ‘Content-Security-Policy’ "default-src ‘self’ ‘unsafe-inline’ wss: wss://.infobip.com ws://.infobip.com .infobip.com http://www.w3.org https://fonts.googleapis.com https://stackpath.bootstrapcdn.com .youtube.com https://cdn.jsdelivr.net/; img-src ‘self’ data: https://.openstreetmap.org wss://livechat-fr.infobip.com/chat/web/proxy/827/toxgylwd/websocket always; connect-src ‘self’ wss: ws: wss://.infobip.com ws://*.infobip.com .infobip.com https://.doubleclick.net wss://livechat-fr.infobip.com/chat/web/proxy/492/hybzmnjl/websocket ‘unsafe-inline’ always;";
I’ve tried numerous ways to allow the websocket connection but none seems to work.
2
Answers
Since every websocket connection start by a regular http request, you must add a CSP for https://your-websocket-server-domain:port
The http request will be answered with a
101: swtiching protocolsand then the connection will become a WebSocket connection.Note that I don’t think that the ws: or wss: csp directive is required at all.
You have 3 issues:
Console errors you shown are not CSP-related. "403 Forbidden" means you do not have access to related Url. "’X-Frame-Options’ to ‘deny’" means you try to embed iframe but that page disallows embedding via
X-Frame-Options: "DENY"HTTP header.Wrong format of Nginx
add_header. It should looks like (pay attention to quotes –alwayskeyword should be placed out of the CSP settings):add_header Content-Security-Policy "default-src 'self'..." always;Wrong format of CSP’s host-sources. Host-sources like
.youtube.commust not contain a leading.dot:youtube.comwill allow to load resources from http(s)://youtube.com and*.youtube.comwill allow resources from the subdomains of youtube.com.So your syntactically correct CSP should looks like:
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' https://stackpath.bootstrapcdn.comhttps://fonts.googleapis.com infobip.com ws://infobip.com wss://infobip.com youtube.comhttps://cdn.jsdelivr.net http://www.w3.org;connect-src 'self' infobip.com wss://infobip.com ws://*.infobip.comwss://livechat-fr.infobip.com/chat/web/proxy/ https://doubleclick.net;img-src 'self' data: https://openstreetmap.org;" always;Note that:
wss:covers any host-sources with that scheme (eg wss://site.com/websocket). So I deleted the scheme-sources and left the host-sources.'unsafe-inline'in theconnect-src.as line break, so I used it because it’s hard to maintain CSP in one line. Check does your Nginx version supports this feature.Note 2: This CSP can block some sources – just add them to the appropriate directives.
Note 3: Consider moving the sources from the
default-srcdirective to thescript-src+style-src+font-srcdirectives. Because for now you actually allows'unsafe-inline'in thescrit-srcso your CSP does not protect against XSS. It will also be difficult to manage CSP in the future, since the sources are mixed in one directive.