In html I have this
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; connect-src file: https://data.global ws://localhost:* http://localhost:*; img-src http://localhost:* file: blob: data:; font-src file: http://localhost:*; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" />
But for connect-src
I have many domains that I want to whitelist. Sometimes they are created frequently so I don't want to keep updating them every time. Is there a way to allow all domains? I might delete connect-src
but then default-src
will kick in and break it.
Use * to match any HTTP/HTTPS origin as well as the current origin's scheme. Use https to match any HTTPS origin.