iOS拒绝连接，因为它既没有出现在内容安全策略的connect-src指令中也没有出现在default-src指令中 [英] iOS Refused to connect because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy

问题描述

因此，我制作了一个使用socket.io进行操作的phonegap应用.
我有以下内容安全策略(CSP)

So I made a phonegap app which uses socket.io to do stuff.
I have the following Content-Security-Policy (CSP)

<meta http-equiv="Content-Security-Policy" content="
                                default-src * data: blob: ws: wss:;
                                style-src * 'unsafe-inline'; 
                                script-src * 'unsafe-inline' 'unsafe-eval';
                                connect-src * ws: wss:;">

当我在Safari/iOS上启动应用程序时，出现以下错误:

When I start the app on safari / iOS I get the following error:

Refused to connect to ws://10.0.1.63:3000/socket.io/?EIO=3&transport=websocket&sid=xTaMJwP3rVy3UnIBAAAi 
because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy.

AND:

SecurityError (DOM Exception 18): The operation is insecure.

具有相同CSP的同一个应用程序在Chrome/Android上正常运行，但在Safari/iOS上却无法正常运行.
我认为这与以下内容有关:
完善的内容安全策略(WebKit)

The same app with the same CSP works just fine on Chrome / Android but not on Safari / iOS.
I think this has something to do with:
a refined content security policy (WebKit)

似乎大量出现的资源:

• 由于内容安全政策，休息室无法通过https工作 Safari v10中实施
• 请求未在iOS 10.0上发送

• The Lounge fails to work over https due to Content Security Policy enforcement in Safari v10
• request isn't sent on iOS 10.0

为什么说拒绝连接到以ws开头的URL"是因为即使在内容安全性策略的connect-src指令和default-src指令中都没有出现，但它却没有出现?

Why is it saying "Refused to connect to "URL starting with ws:" because it appears in neither the connect-src directive nor the default-src directive of the Content-Security-Policy even though it is mentioned in both?

好的，在这个方面，Safari/iOS比chrome/Android更为严格，虽然很好，但是仍然需要使我允许连接通过.对于应用程序开发人员来说，这确实令人沮丧！解决方案?

Okay, safari / iOS is more strict than chrome / Android when it comes to this, all fine, but it still needs to enable me to allow the connection through. This is really frustrating for an app developer! Solutions?

对bugs.webkit.org进行了错误报告: https://bugs.webkit.org/show_bug.cgi?id = 165754

Made a bug report on bugs.webkit.org: https://bugs.webkit.org/show_bug.cgi?id=165754

推荐答案

好的，这有点愚蠢，但是好吧，我会保留这个答案，以便将来的人们可以看到它，而不必解决这个问题.

Okay so this is kind of dumb, but OK, i'll keep this answer so future people can see it and don't have to deal with this problem

我做错了:
我有以下头颅:

What I did wrong was:
I had the following head:

<head>
    <meta charset="utf-8" />
    <!--<meta http-equiv="Content-Security-Policy" 
    content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'" />-->
    <meta http-equiv="Content-Security-Policy" content="
                            default-src * data: blob: ws: wss: gap://ready file://*;
                            style-src * 'unsafe-inline'; 
                            script-src * 'unsafe-inline' 'unsafe-eval';
                            connect-src * ws: wss:;">
    <meta name="format-detection" content="telephone=no" />
    <meta name="msapplication-tap-highlight" content="no" />
    <meta name="viewport" content="user-scalable=no, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width" />
    <meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src"/>
    <link rel="stylesheet" type="text/css" href="css/reset.css" />
    <link rel="stylesheet" type="text/css" href="css/index.css" />
    <title>Kerst app!</title>
</head>

我没有注意到我有两次"Content-Security-Policy"元标记
我知道，对吧?重复操作导致iOS仅采用了最新版本，但更为严格.删除重复项，第一次解决.

And I didn't notice that I had the "Content-Security-Policy" meta tag twice
I know right? The duplicate caused iOS to just take the latest one which was more strict. Removed the duplicate, worked the first time around.

最后是核心代码

<head>
    <meta charset="utf-8" />
    <!--<meta http-equiv="Content-Security-Policy" 
    content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'" />-->
    <meta http-equiv="Content-Security-Policy" content="
                            default-src * data: blob: ws: wss: gap://ready file://*;
                            style-src * 'unsafe-inline'; 
                            script-src * 'unsafe-inline' 'unsafe-eval';
                            connect-src * ws: wss:;">
    <meta name="format-detection" content="telephone=no" />
    <meta name="msapplication-tap-highlight" content="no" />
    <meta name="viewport" content="user-scalable=no, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width" />
    <link rel="stylesheet" type="text/css" href="css/reset.css" />
    <link rel="stylesheet" type="text/css" href="css/index.css" />
    <title>Kerst app!</title>
</head>

这篇关于iOS拒绝连接，因为它既没有出现在内容安全策略的connect-src指令中也没有出现在default-src指令中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！