[Libwebsockets] Content-Security-Policy

Alexander Zvyagin zvyagin.alexander at gmail.com
Thu Jan 31 01:04:44 CET 2019


I have a question concerning Content-Security-Policy.

My application is split into two parts. The server is written in a C++
code with libwebsocket interface (based on minimal-ws-server.c code).
The client is meteor-react application (which is basically means it
consists from lots of nodejs packages). The client code after
"building" stage compiles into two files "index.html" and "index.js".
And the server successfully serves them and my websocket protocol, so
I am happy.

Almost. I had to disable in firefox browser checks for Content-Security-Policy.

Now it is time to fix this little problem, but I am not sure how. The
"index.js" file is built with webpack. The file is big. It contains
lots of "eval()" calls from external libraries. Modifying it is not an
option. Most probably I need to apply a different security policy on
the server side, right? Something with "unsafe-eval", I think. The
file "./lib/roles/http/header.c" has the code with
Content-Security-Policy settings, but I am not sure it is a good idea
to modify it.

What would you recommended me to do?

Thanks a lot in advance!

More information about the Libwebsockets mailing list