search

pusher / pusher-js

Pusher Javascript library
http://pusher.com
MIT License
2.11k stars 374 forks source link

OSX Sierra Safari not connecting to pusher #176

Closed beckmx closed 8 years ago

beckmx commented 8 years ago

Hello guys, there is an issue with safari which doesnt connect to pusher in the new version of OS X, I guess this has to be with safari implementing new html5 tags. The error the browser gives me is:

[Error] Refused to connect to wss://ws.pusherapp.com/app/cb83ffb2e230419bfaeb?protocol=7&client=js&version=3.0.0&flash=false because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy.

Failed to load resource: WebKit found and error

jpatel531 commented 8 years ago

Thanks a lot for bringing this up! I'll look into it asap

Sent from my iPhone

On 18 Jun 2016, at 00:50, beckmx notifications@github.com wrote:

Hello guys, there is an issue with safari which doesnt connect to pusher in the new version of OS X, I guess this has to be with safari implementing new html5 tags. The error the browser gives me is:

[Error] Refused to connect to wss://ws.pusherapp.com/app/cb83ffb2e230419bfaeb?protocol=7&client=js&version=3.0.0&flash=false because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy.

Failed to load resource: WebKit found and error

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

beckmx commented 8 years ago

I did this as a workaround, but still sometimes the browser keeps telling, there is an error although it seems it connects ok like this

2016-06-18 1:59 GMT-05:00 Jamie Patel notifications@github.com:

Thanks a lot for bringing this up! I'll look into it asap

Sent from my iPhone

On 18 Jun 2016, at 00:50, beckmx notifications@github.com wrote:

Hello guys, there is an issue with safari which doesnt connect to pusher in the new version of OS X, I guess this has to be with safari implementing new html5 tags. The error the browser gives me is:

[Error] Refused to connect to wss:// ws.pusherapp.com/app/cb83ffb2e230419bfaeb?protocol=7&client=js&version=3.0.0&flash=false because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy.

Failed to load resource: WebKit found and error

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/pusher/pusher-js/issues/176#issuecomment-226926233, or mute the thread https://github.com/notifications/unsubscribe/AAb3GS9BPLU-D1piQKulUKc_kmjGNa4mks5qM5dvgaJpZM4I4fZP .

sandstrom commented 8 years ago

I'm seeing this too. Did you find anything? Only in Safari (10).

Related issue in Meteor: https://forums.meteor.com/t/warning-regarding-macos-sierra-safari-10-and-websockets/29612

trippytango commented 8 years ago

Hi guys,

I'm looking at pusher.js in my next project and this issue raises some concerns for myself.

Is this still an issue?

If its still an issue, is it been looked at or potentially have an ETA on been fixed?

hph commented 8 years ago

@trippytango In short, you don't need to worry about this unless your website has a CSP configuration, in which case you should update it to allow Pusher connections.

To the others, unless I'm misunderstanding something, this is an issue with your Content Security Policy (CSP) that needs to be fixed and there is nothing wrong on our end.

The way CSP works is that if your web server sends HTTP headers including a restrictive CSP policy, or if you have similarly restrictive <meta http-equiv="Content-Security-Policy" ...> tags in your website, the browser will simply block the requests.

If you run into this issue you can either relax the restrictiveness of your CSP or add a rule to allow Pusher domains & requests.

I'll close this issue so there's no confusion for other people that might see this and I'll be updating the README for others that might have a strict CSP.

If you run into any issues, related to this or not, feel free to open an issue here or contact support directly.

sandstrom commented 8 years ago

I investigated this, so can add some more details for others with this issue

Yes, nothing wrong with Pusher!

This is an issue with Safari 10 and how they parse the CSP policy.

One work-around is to add ws://* and wss://*to connect-src (use * for everything, or restrict to hostname, the important piece is that the protocol must be specified).

jaspal747 commented 5 years ago

I used connect-src 'self' *.pusherapp.com *.pusher.com ; to whitelist my domain and pusher.