Using CSP (Content Security Policy) with a custom protocol

Question

I'm in a bit of a pinch, developing a fund broker site.

As part of our security policies, CSP is implemented across our servers, but now, we're implementing communication with desktop software supplied by Scandinavian banks (BankID).

With this, a problem arises: to open the BankID desktop software, a link should be clicked with a custom protocol, looking like this:

bankid://?orderref=[GUID]&autostarttoken=[GUID]

As I'm sure you understand, I'm having serious problems allowing this link through our CSP policies. My searches have yielded no results, and I have run out of ideas.

I have tried attempting to allow a wildcard domain under the protocol thus:

Content-Security-Policy: default-src 'self' bankid://*;

It works perfectly if I turn off CSP, so it's definitely the issue.

Anyone have any experience with this? Any help is greatly appreciated.

---

EDIT

After a few more hours searching, I found the following on the Mozilla Wiki:

We need an application delivery mechanism that provides assurances on app integrity and authenticity, and also allows for well-defined application & privilege scope enforcement so integrity can be maintained at runtime.

And further:

Privileged and certified apps will be accessed via a unique scheme (app://). The domain will correspond to the app id.

I'm not sure if this would be applicable, but if I read this right, it means that Mozilla are considering how to tackle this very issue.

Answer 1

It seems that you were very close to the solution, you only have to alter the syntax a little bit. By removing the slashes it should work just fine.

Content-Security-Policy: default-src 'self' bankid:;

To summarize:

• Quotes ("'): NO
• Slashes (//): NO
• Colon (:): YES