Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Javascript create WebSocket connection refused - content security

Trying to open a WebSocket connection from a Browser to a server running on localhost:9000 here is my JS code:

$( document ).ready(function() {

    var url = "ws://localhost:9000/myapp";
    var connection = new WebSocket(url);

    connection.onopen = function() {
        console.log('WebSocket Open');
    };
    connection.onerror = function(error) {
        console.log('WebSocket Error ', error);
    };
    connection.onmessage = function(event) {
        console.log('WebSocket Msg ', event);
    }

});

But the browser is refusing to accept the connection due to Content-security policy:

Content Security Policy: The page's settings blocked the loading of a resource at ws://localhost:9000/myapp ("default-src http://localhost:9000").

I thought that openning a websocket connection to "self" in this case "localhost" would be acceptable but both Chrome and FF are denying the connection. I thought of placing

<meta http-equiv="Content-Security-Policy" content="default-src http: ws: connect-src ws:">

but it didn't fix the problem.

These are the headers being returned by the Server:

HTTP/1.1 200 OK
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'
X-Permitted-Cross-Domain-Policies: master-only
Date: Sat, 24 Jun 2017 03:39:10 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 2130

What could be causing the connection refusal ?

like image 868
guilhebl Avatar asked Jun 24 '17 03:06

guilhebl


People also ask

How do I fix WebSocket connection failed?

Solution 1Check that all the Bot Insight services are running. Check that your firewall settings are configured to accept incoming websocket data. Try to use a different web browser. Restart the Bot Insight Visualization and Bot Insight Scheduler services.

What can block WebSocket connection?

A blocked connection can be caused by: AdBlocker / Cookie blocker browser extensions. Antivirus and Firewall software. Proxy and VPN connections.

Why WebSocket is not secure?

A Cross-Site Scripting attack evolves into a comprehensive security breach when a Cross-Site Scripting assault is carried out. Also, it's necessary to know that data transfer over the WebSocket protocol is done in plain text, similar to HTTP. As a result, man-in-the-middle attacks on this data are the real threat.


1 Answers

It seems like that page must be getting served with a Content-Security-Policy response header that has default-src http://localhost:9000 in its value.

Given that you can never use a CSP directive somewhere to apply a more-liberal policy than one applied from somewhere else, if you have a strict default-src http://localhost:9000 policy in the CSP header, it’ll be applied instead of any more-liberal policy you might have specified using a meta element in a document.

See the discussion about multiple policies in the CSP spec:

The impact is that adding additional policies to the list of policies to enforce can only further restrict the capabilities of the protected resource.

So I think you may need to change value of the Content-Security-Policy header to have default-src http: ws: connect-src ws:. You can’t do it with just a meta element.

like image 88
sideshowbarker Avatar answered Oct 13 '22 20:10

sideshowbarker