content-security-policy meta tag for allowing web socket
If your websocket is on the same host/port then both connect-src 'self'
or default-src 'self'
SHOULD be sufficient - presuming that browsers have implemented the changes since the CSP spec changes in https://github.com/w3c/webappsec-csp/issues/7 (PR).
To add web sockets to the security policy you add the web socket protocol (ws:) to the connect-src directive.
connect-src 'self' ws:;
Optionally, you can add the ws: protocol to the default-src and omit connect-src. Here is a useful example that enables most local development needs while still providing useful security constraints.
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' data: gap: ws: ssl.gstatic.com 'unsafe-inline';">
The documentation for content security policy is surprisingly good and easy to read.