Reputation: 948
Fabric (hyperledger) explorer: refused to connect wss because of Content Security Policy on safari
I have a question/issue: I deploy the Hyperledger Explorer (connected to my Fabric network) via Kubernetes and connect to its ui via ingress. On any browser other than safari I have no issue with the explorer, but on Safari, after login, I have a blank page and the following error in the console of the browser:
[Error] Refused to connect to wss://[MYURL] because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy. (x2)
Do you have an idea if it's an issue with the explorer or with my ingress config? Is it some kind of cors issue?
This is my ingress config. I tried to modify the annotations, remove some, with no luck.
ingress:
enabled: true
annotations:
external-dns.alpha.kubernetes.io/hostname: MYURL
external-dns.alpha.kubernetes.io/target: MYURL
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,X-Apollo-Tracing
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
path: /
servicePort: ui
hosts:
- MYURL
Upvotes: 1
Views: 217
Answers (1)
Reputation: 53
Apparently it's a safari bug:
https://bugs.webkit.org/show_bug.cgi?id=201591
As per CSP spec paragraph 6.6.2.6, point 4.
selfmatch, 2nd match >condition (https://w3c.github.io/webappsec-csp/#match-url-to-source->expression):"'self'", return "Matches" if one or more of the following conditions is met:
2. origin’s host is the same as url’s host, origin’s port and url’s port are either the same or the default ports for their respective schemes, and one or more of the following conditions is met:
- url’s scheme is "https" or "wss"
- origin’s scheme is "http" and url’s scheme is "http" or "ws"
This appears to not be working correctly in Safari, where I have a CSP of "connect-src 'self'" for a service worker, but the service worker refuses to connect to a web socket on the same host and port, logging error
Refused to connect to wss://SOMEHOST/ws because it does not appear in the connect-src directive of the Content Security Policy.
Chromium had the same issue, fixed about a year ago: https://bugs.chromium.org/p/chromium/issues/detail?id=815142
Related W3C CSP Issue: https://github.com/w3c/webappsec-csp/issues/7
Upvotes: 0
Related Questions
- Hyperledger Fabric 2.x and Explorer connection
- Hyperledger Fabric channel queryInfo throws access denied error
- Failed to enroll admin in Hyperledger Fabric Javascript application
- error: [Channel.js]: Channel:mychannel received discovery error:access denied
- Failed to connect Hyperledger Explorer to Fabric project
- Access denied wher trying discovery service in Hyperledger Fabric
- How to fix "Error: 14 UNAVAILABLE: TCP Write failed" with hyperledger Fabric blockchain application
- Error: 2 UNKNOWN: access denied: channel [contentbackchainchannel] creator org
- Hyperledger Fabric Explorer config.json error
- Error in Hyperledger Explorer configuration