Reputation: 2713
CSP connect-src network sources
We are trying to implement CSP in our application. But we are stuck for the following situation:
We are using the Epson EPOS SDK script, which connects to the local IP of the printer of our users. That IP is different (of course) for every user, and we can't add all hosts in the connect-src line.
I have tried to generate a hash of the specific code but I can't get that code. The SDK (which is loaded as 'epos.js') is sending an POST with the commands to the printer. When I send that command in PostMan I only get an response (XML) from the printer and not the script.
Now I'm looking for other ways to use CSP in combination with this SDK. Of course I can add an * as connect-src but that will be the same as not using CSP. Is there a way to accept connections to local IP addresses? Or are there better ways to implement this?
Upvotes: 1
Views: 518
Answers (1)
Reputation: 8546
The connect-src directive does not support hash-sources, it's road to nowhere.
CSP level 3 does not allow to use IPv4address (except 127.0.0.1) as host-sourses, although browsers support them (Chrome and Firefox was tested). Therefore, it is incorrect to use this feature in production.
The only way is connect-src *;, i do not see any workarounds.
Upvotes: 2
Related Questions
- How to get past CSP (Content Security Policy) by allowing everything?
- Whats wrong with my CSP? Content Security Policy (CSP) implemented unsafely
- CSP violation with hash
- CSP Configuration not allowing for proper loading of assets
- Content-Security-Policy problem with bootstrap 4
- Service worker and CSP configuration change
- CSP with a Service Worker
- Implementing CSP into ASP web app
- (CSP) connect-src https://nikkomsgchannel
- External links doesn't work when running CSP