Using CSP (Content Security Policy) with a custom protocol
Question
I'm in a bit of a pinch, developing a fund broker site.
As part of our security policies, CSP is implemented across our servers, but now, we're implementing communication with desktop software supplied by Scandinavian banks ( BankID ).
With this, a problem arises: to open the BankID desktop software, a link should be clicked with a custom protocol, looking like this:
bankid://?orderref=[GUID]&autostarttoken=[GUID]
As I'm sure you understand, I'm having serious problems allowing this link through our CSP policies. My searches have yielded no results, and I have run out of ideas.
I have tried attempting to allow a wildcard domain under the protocol thus:
Content-Security-Policy: default-src 'self' bankid://*;
It works perfectly if I turn off CSP, so it's definitely the issue.
Anyone have any experience with this? Any help is greatly appreciated.
EDIT
After a few more hours searching, I found the following on the Mozilla Wiki :
We need an application delivery mechanism that provides assurances on app integrity and authenticity, and also allows for well-defined application & privilege scope enforcement so integrity can be maintained at runtime.
And further:
Privileged and certified apps will be accessed via a unique scheme (app://). The domain will correspond to the app id.
I'm not sure if this would be applicable, but if I read this right, it means that Mozilla are considering how to tackle this very issue.
1 answers
solution1
7 2017-01-30 15:29:47
It seems that you were very close to the solution, you only have to alter the syntax a little bit. By removing the slashes it should work just fine.
Content-Security-Policy: default-src 'self' bankid:;
To summarize:
- Quotes ("'): NO
- Slashes (//): NO
- Colon (:): YES
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.