CSP's source expression 'self' and websockets

[Malvoz]

There was a CSP spec change to clarify/define that default-src and connect-src with the keyword 'self' should match ws(s):// websocket schemas, i.e:
Content-Security-Policy: default-src 'self' for https://example.com must not block connections to wss://example.com.

However, this wasn't implemented until Sep 17, 2018 in chromium/issues/detail?id=815142#c9 which according to the Chrome version history means that before v70 you must explicitly add your websocket URLs to either connect-src or default-src, e.g:
Content-Security-Policy: default-src 'self'; connect-src 'self' wss://example.com

This issues is a pretty big deal, so there should be a note. It may also be that Safari (w3c/webappsec-csp#7 (comment)), Edge (w3c/webappsec-csp#7 (comment)) and perhaps other browsers still haven't implemented this.

[mkurz]

There is finally work going on to get this fixed in Safari: https://bugs.webkit.org/show_bug.cgi?id=235873 (before it was https://bugs.webkit.org/show_bug.cgi?id=201591, which was marked as duplicate)

[mkurz]

https://bugs.webkit.org/show_bug.cgi?id=235873 is now resolved, so this should be fixed in the next Safari release 16 (maybe even 15.5 or 15.6 if those will happen)