Content Security Policy Header

Sammmy · August 16, 2019, 9:01am

I’m currently developing a chatbot using RASA. Now we want to include the chatbot in our website using socket.io

The guy from the website team asks me to set in socket.io’s Content Security Policy Header the default-src or connect-src value, since he get following error:

xyz.js:1 Refused to connect to ‘http://$OUR_URL$/socket.io/?EIO=3&transport=polling&t=MoAsBla’ because it violates the following Content Security Policy directive: “default-src https: http://localhost”. Note that ‘connect-src’ was not explicitly set, so ‘default-src’ is used as a fallback.

When opening the website on a local server on localhost it works. It don’t works when the website is deployed to a server.

However I don’t find where I can set it.

Can anybody help? Thanks!

tmbo · August 23, 2019, 9:12am

Mhm I am not sure we actually set that header. As far as I can see, the header is not specified anywhere. Juding by the docs for mozilla (chrome should do the same thing Content Security Policy (CSP) - HTTP | MDN) the browser should fallback to CORS headers if CSP is not present. You can specify the CORS headers when using rasa (e.g. using --cors "*" when running on the command line) does that work for you?

Topic		Replies	Views
Socket.io missing Access-Control-Allow-Origin header Rasa Open Source	33	12876	January 25, 2022
Rasa socket url not working on https secure link but working fine on http Feedback on Rasa Open Source rasa , docker	5	182	March 14, 2024
Rasa X docker cors issue / webchat / socket.io [Deprecated] Rasa X Community Edition	3	1142	December 28, 2020
RASA Core: --cors parameter does not apply to socket.io Rasa Open Source	12	6711	February 17, 2020
Rasa voice interface connector issue Tutorials, Resources & Videos	1	889	December 10, 2019

Content Security Policy Header

Related topics