Safari doesn't understand my Content-Security-Policy headers

Question

Every other browser understands when I say:

add_header Content-Security-Policy default-src 'self'; script-src 'self' unsafe-inline; connect-src wss://mysite.com;

In my headers. But Safari says:

Refused to connect to wws://mysite because it doesn't not appear in the connect-src directive in Content Security Policy. [Error] SecurityError (DOM Exception 18): The operation is insecure. (anonymous function) (myjavascripturl.js)

Why does Safari not understand my Content-Security-Policy headers?

Answer 1

In the policy you have provided there are no single quotes around unsafe-inline which are required. Change this:

add_header Content-Security-Policy default-src 'self'; script-src 'self' unsafe-inline; connect-src wss://mysite.com;

To this:

add_header Content-Security-Policy default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src wss://mysite.com;
-------------------------------------------------------------------------^-------------^

That could be affecting the parsing of the policy.

The other concern is in the error message you provided.

Refused to connect to wws://mysite
-----------------------^

Do you have a typo somewhere in your code, should this be wss?