Solved

What is the syntax for Localhost in the meta tag Content Security Policy?

Posted on 2016-09-10
3
77 Views
Last Modified: 2016-09-13
I am developing a Phonegap application that not only runs on the phone but also on the desktop's browser.  The application needs to access the resources in the www directory and a few js files that reside on external sites.  So far my meta tag looks like this:

<meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline' localhost:*/*  'self' *.shlepz.com  *.googleapis.com   https://www.youtube.com  *.gstatic.com  *.ytimg.com; ">

Open in new window

With this meta tag I am still receiving the error, "127.0.0.1/:195 Refused to connect to 'ws://127.0.0.1:8080//ws' because it violates the following Content Security Policy directive:

I have no idea what ws is.  How do I change the localhost entry in the meta tag to make the error go away?  To state the incredibly obvious, I don't know what the port number will be until the application is loaded.  Most of the time it is 8080 but not always.

Thank you for your time,
0
Comment
Question by:Michael David
  • 2
3 Comments
 
LVL 26

Accepted Solution

by:
Dan McFadden earned 500 total points
Comment Utility
The "ws://127.0.0.1:8080//ws" is a reference to localhost.  Also the CSP format is invalid based on the definition of the tag.  Best thing to do is to use a CSP generator.

Link:  http://cspisawesome.com/

Also, a few reference links:

1. https://content-security-policy.com/
2. http://www.html5rocks.com/en/tutorials/security/content-security-policy/
3. http://www.cspplayground.com/home

Dan
0
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
I would try this in the meta tag:

default-src 'self' *.shlepz.com *.googleapis.com https://www.youtube.com *.gstatic.com *.ytimg.com;

Open in new window


Dan
0
 

Author Closing Comment

by:Michael David
Comment Utility
It makes sense that a content security policy generator exists, but I didn't think of searching for it.  I was hand generating it.  Thank you so much for this link.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now