CODEWITHSUNDEEP
securityhttp-headerscontent-security-policy
BeniaminoBaggins
BeniaminoBaggins

Reputation: 12483

Content-Security-Policy refused to connect to

Refused to connect to 'https://w1xxx.ldxxx.net:7031/direct/v1609/something?preview=FALSE' because it violates the following Content Security Policy directive: "default-src 'unsafe-inline' 'unsafe-eval 'self' *.googleapis.com *.google-analytics.com *.gstatic.com *.googletagmanager.com aaa.dev.someplace.com *.test.ldxxx.net *.testauto.ldxxx.net w1xxx.ldxxx.net aaa.xxz.ldxxx.net aaa.test.someplace.com aaa.staging.aaac.net aaa.yyy.ddd.as.nz". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

Bearing in mind I have masked the urls as to not give away sensitive information.

My exact content-security-policy http header is in the quoted error text. The error stated that:

https://w1xxx.ldxxx.net:7031/direct/v1609/something?preview=FALSE

violates my content-security-policy. But why? Shouldn't https://w1xxx.ldxxx.net:7031/direct/v1609/something?preview=FALSE be allowed to be connected to, because of w1xxx.ldxxx.net in my content-security-policy?

Upvotes: 1

Views: 4677

Answers (1)

Anand Bhat
Anand Bhat

Reputation: 5819

What is the URL of the page where the policy is defined, and where this violation occurs?

If this page is not served on port 7031, you would have to specify w1xxx.ldxxx.net:7031 as the host entry in your policy.

Per the CSP specification, if the port isn't specified, it defaults to the port from the URL's scheme (default HTTPS uses 443).

If expression does not contain a port-part, and url’s port is not the default port for url’s scheme, return "Does Not Match".

Upvotes: 1

Related Questions