From fb92f670532c65cc8c07fac2417452b4d451fc72 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Tue, 21 Aug 2018 11:54:03 -0400
Subject: [PATCH] add websockets to CSP

---
 util/Setup/NginxConfigBuilder.cs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/Setup/NginxConfigBuilder.cs b/util/Setup/NginxConfigBuilder.cs
index 269207a692..0ca1565745 100644
--- a/util/Setup/NginxConfigBuilder.cs
+++ b/util/Setup/NginxConfigBuilder.cs
@@ -14,7 +14,7 @@ namespace Bit.Setup
             "default-src 'self'; style-src 'self' 'unsafe-inline'; " +
             "img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
             "child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; " +
-            "connect-src 'self' https://haveibeenpwned.com https://api.pwnedpasswords.com;";
+            "connect-src 'self' wss://{0} https://haveibeenpwned.com https://api.pwnedpasswords.com;";
 
         public NginxConfigBuilder(string domain, string url, bool ssl, bool selfSignedSsl, bool letsEncrypt,
             bool trusted, bool diffieHellman)
@@ -147,7 +147,7 @@ server {{
     add_header X-Content-Type-Options nosniff;
     add_header X-XSS-Protection ""1; mode=block"";
     add_header Referrer-Policy same-origin;
-    add_header Content-Security-Policy ""{ContentSecurityPolicy}"";
+    add_header Content-Security-Policy ""{string.Format(ContentSecurityPolicy, Domain)}"";
   }}
 
   location = /app-id.json {{