From d1ab0a6d8633d47d0fd0fdbbae117179ec929b0d Mon Sep 17 00:00:00 2001
From: Sebastian Serth <Sebastian.Serth@hpi.de>
Date: Tue, 6 Sep 2022 13:45:03 +0200
Subject: [PATCH] [CSP] Add documentation about connect_src for WebSocket

---
 config/content_security_policy.yml.example | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config/content_security_policy.yml.example b/config/content_security_policy.yml.example
index a766f1ac..000cca6f 100644
--- a/config/content_security_policy.yml.example
+++ b/config/content_security_policy.yml.example
@@ -9,6 +9,10 @@ default: &default
     - https://*.s3.xopic.de
     - https://s3.openhpicloud.de
     - https://*.s3.openhpicloud.de
+  # Webkit didn't consider the WSS scheme as part of 'self', adding it explicitly
+  # See https://bugs.webkit.org/show_bug.cgi?id=235873
+  connect_src:
+    - wss://codeocean.openhpi.de
   # Optionally: Specify a custom, non-Sentry URL for reporting CSP violations
   # report_uri: https://example.com/csp-report