fix: Support adding websocket endpoints to connect-src CSP automatically

Fixes #5

Author: PSanetra

config/templates/content_security_policy.tmpl

@@ -11,7 +11,7 @@
   {{ if and .hardening.whitelist_spa_config_endpoints_as_connect_sources (not (index .hardening.content_security_policy "connect-src")) (ne (len .spa_config.endpoints) 0) -}}
     connect-src
     {{- range $key, $value := .spa_config.endpoints -}}
-      {{- if $value | regexp.Match "^http(s)?:\\/\\/" -}}
+      {{- if $value | regexp.Match "^(http(s)?|ws(s)?):\\/\\/" -}}
         {{- $url := $value | conv.URL -}}
         {{ " " }}{{ $url.Scheme }}://{{ $url.Host }}
       {{- end -}}

tests/src/test/java/de/codecentric/spa/server/tests/ContentSecurityPolicyTests.java

@@ -34,7 +34,7 @@ public void shouldAddConnectSrcCspForConfiguredEndpointsByDefault() throws IOExc
             assertThat(response.statusCode()).isEqualTo(200);
 
             assertThat(response.headers().firstValue("Content-Security-Policy")).hasValue(
-                "base-uri 'self'; block-all-mixed-content; default-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; connect-src https://example.com:1234 http://example.com https://example.com 'self'");
+                "base-uri 'self'; block-all-mixed-content; default-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; connect-src https://example.com:1234 http://example.com https://example.com ws://example.com wss://example.com 'self'");
         }
     }
 

tests/src/test/resources/content_security_policy/config_with_endpoints.yaml

@@ -4,4 +4,7 @@ default:
       localApi: "/api"
       httpsApi: "https://example.com/api"
       httpApi: "http://example.com/api"
+      wssApi: "wss://example.com/api"
+      wsApi: "ws://example.com/api"
+      unknownSchemaApi: "unknown://example.com/api"
       apiWithPort: "https://example.com:1234/api"