Safari Web extension connect-src does not work.

Our extension uses fecth API from the background to check if the user is properly logged. But we get this error message :

Refused to connect to https://example.com/foo/user because it does not appear in the connect-src directive of the Content Security Policy.

Even if the link https://example.com/foo/user is specified in the manifest :

{
    ...
    "content_security_policy": "script-src 'self';object-src 'self'; connect-src 'https://example.com/foo/user' ",
    ...
}

We've tried

  • "content_security_policy": "script-src 'self';object-src 'self'; connect-src https://example.com/foo/user"
  • "content_security_policy": "script-src 'self';object-src 'self'; connect-src https://example.com/*"
  • "content_security_policy": "script-src 'self';object-src 'self'; connect-src * "

Same error message when we're trying to make a WebSocket connection (wss://exampe.com/service/bar).

For info, our Chrome/Firefox extension work perfectly with connect-src * directive .

Does someone have the same issue? If yes, how did you manage to make it work?

Post not yet marked as solved Up vote post of Smionean Down vote post of Smionean
277 views
Posted by
Smionean
Reply
Add a Comment

Replies

I am trieing to connect to a site I have host permissions on from a browser page. This causes the same error. Is this by design, a bug, or can it be worked around?

Posted by
arnoudkooi
Post not yet marked as solved Up vote reply of arnoudkooi Down vote reply of arnoudkooi
Add a Comment