electroncontent-security-policy

Content Security Policy wildcard seems to be ignored


To give some context, this is an Electron app, loading the index.html using file://

It seems like the content security policy is contracting itself:

Refused to connect to 'https://o944978.ingest.sentry.io/api/5893671/envelope/?sentry_key=0a6134a5d89d40c4954c6144b0e63c64&sentry_version=7' because it violates the following Content Security Policy directive: "default-src 'unsafe-inline' 'self' 'unsafe-eval' data: *.sentry.io *.cloudfront.net". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

That URL clearly matches the wildcard *.sentry.io, or am I missing something?


Solution

  • I'm gonna answer myself here: You can't.

    The 2 options are: disabling web security or starting a static web server.