content-security-policy meta tag for allowing web socket

If your websocket is on the same host/port then both connect-src 'self' or default-src 'self' SHOULD be sufficient - presuming that browsers have implemented the changes since the CSP spec changes in https://github.com/w3c/webappsec-csp/issues/7 (PR).


To add web sockets to the security policy you add the web socket protocol (ws:) to the connect-src directive.

connect-src 'self' ws:;

Optionally, you can add the ws: protocol to the default-src and omit connect-src. Here is a useful example that enables most local development needs while still providing useful security constraints.

<meta http-equiv="Content-Security-Policy"
      content="default-src 'self' data: gap: ws: ssl.gstatic.com 'unsafe-inline';">

The documentation for content security policy is surprisingly good and easy to read.