starred/mailpit
1
0
Fork 0
mirror of https://github.com/axllent/mailpit.git synced 2026-04-26 00:35:51 +03:00
Code Issues Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #13] CSP: Safari does not load Script / connect to WebSocket due to CSP errors #12

New issue
Closed
opened 2026-03-15 12:03:12 +03:00 by kerem · 4 comments
kerem commented 2026-03-15 12:03:12 +03:00
Owner
Copy link

Originally created by @SunflowerFuchs on GitHub (Sep 19, 2022).
Original GitHub issue: https://github.com/axllent/mailpit/issues/13

Safari handles the CSP differently and refuses to run Scripts / connect to the WebSocket. Chrome
It throws the following errors for me:
image

Setup:
I'm running Mailpit via docker (latest image) and access it via the current Safari (Version 15.6.1 (17613.3.9.1.16)) on MacOS Monterey Version 12.5.1.

As a workaround i've downgraded back to 1.1.3, so it's at least not an immediate issue for me.

Related:
It seems as if the connect-src 'self' issue is already known and has possibly been fixed in an upcoming version of safari:
https://github.com/w3c/webappsec-csp/issues/7

Originally created by @SunflowerFuchs on GitHub (Sep 19, 2022). Original GitHub issue: https://github.com/axllent/mailpit/issues/13 Safari handles the CSP differently and refuses to run Scripts / connect to the WebSocket. Chrome It throws the following errors for me: ![image](https://user-images.githubusercontent.com/18332886/190986460-75d3c65a-8d18-4f9a-977b-928c044b3c68.png) Setup: I'm running Mailpit via docker (latest image) and access it via the current Safari (Version 15.6.1 (17613.3.9.1.16)) on MacOS Monterey Version 12.5.1. As a workaround i've downgraded back to 1.1.3, so it's at least not an immediate issue for me. Related: It seems as if the `connect-src 'self'` issue is already known and has possibly been fixed in an upcoming version of safari: https://github.com/w3c/webappsec-csp/issues/7
kerem closed this issue 2026-03-15 12:03:18 +03:00
kerem commented 2026-03-15 12:03:23 +03:00
Author
Owner
Copy link

@SunflowerFuchs commented on GitHub (Sep 19, 2022):

I've installed the Safari Technology Preview and tested it there, and there are no more errors there, everything works fine.
This means that this is issue possibly mostly relevant as documentation for others encountering this problem, and doesn't need any actual code changes.

<!-- gh-comment-id:1250784821 --> @SunflowerFuchs commented on GitHub (Sep 19, 2022): I've installed the Safari Technology Preview and tested it there, and there are no more errors there, everything works fine. This means that this is issue possibly mostly relevant as documentation for others encountering this problem, and doesn't need any actual code changes.
kerem commented 2026-03-15 12:03:29 +03:00
Author
Owner
Copy link

@axllent commented on GitHub (Sep 19, 2022):

@SunflowerFuchs, firstly thank you for not only reporting the Safari compatibility issue, but also for finding and linking the known bug, plus of course testing with the technology preview version.

I think that the reasons for those HTTP headers are (or at least should be) obvious - to prevent the loading & execution of remote JavaScript stored in any email. This is a security precaution since emails are rendered in the browser vs: an email client which lacks many of the browser's capabilities.

I found that by adding ws: and wss: to the list of connect-src options in the HTTP header is a good work-around for the issue, and appears to resolve the issue here in my testing (I was able to replicate it in my virtual Mac). The new docker release should be ready in the next 10 minutes for testing. Please re-open if still an issue for you (with the current stable version of Sarafi), else please also comment back if it resolves it for you. Apologies, my git commit auto-closed the GitHub issue.

<!-- gh-comment-id:1250836968 --> @axllent commented on GitHub (Sep 19, 2022): @SunflowerFuchs, firstly thank you for not only reporting the Safari compatibility issue, but also for finding and linking the known bug, plus of course testing with the technology preview version. I think that the reasons for those HTTP headers are (or at least should be) obvious - to prevent the loading & execution of remote JavaScript stored in any email. This is a security precaution since emails are rendered in the browser vs: an email client which lacks many of the browser's capabilities. I found that by adding `ws:` and `wss:` to the list of `connect-src` options in the HTTP header is a good work-around for the issue, and appears to resolve the issue here in my testing (I was able to replicate it in my virtual Mac). The new docker release should be ready in the next 10 minutes for testing. Please re-open if still an issue for you (with the current stable version of Sarafi), else please also comment back if it resolves it for you. Apologies, my git commit auto-closed the GitHub issue.
kerem commented 2026-03-15 12:03:34 +03:00
Author
Owner
Copy link

@SunflowerFuchs commented on GitHub (Sep 19, 2022):

I've just pulled the latest image, i can confirm that everything works again. Thank you so much for the quick fix.

<!-- gh-comment-id:1250850376 --> @SunflowerFuchs commented on GitHub (Sep 19, 2022): I've just pulled the latest image, i can confirm that everything works again. Thank you so much for the quick fix.
kerem commented 2026-03-15 12:03:39 +03:00
Author
Owner
Copy link

@axllent commented on GitHub (Sep 19, 2022):

Glad to hear it, and thanks again for testing & the bug report!

<!-- gh-comment-id:1250851644 --> @axllent commented on GitHub (Sep 19, 2022): Glad to hear it, and thanks again for testing & the bug report!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
master
v1.29.7
v1.29.6
v1.29.5
v1.29.4
v1.29.3
v1.29.2
v1.29.1
v1.29.0
v1.28.4
v1.28.3
v1.28.2
v1.28.1
v1.28.0
v1.27.11
v1.27.10
v1.27.9
v1.27.8
v1.27.7
v1.27.6
v1.27.5
v1.27.4
v1.27.3
v1.27.2
v1.27.1
v1.27.0
v1.26.2
v1.26.1
v1.26.0
v1.25.1
v1.25.0
v1.24.2
v1.24.1
v1.24.0
v1.23.2
v1.23.1
v1.23.0
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.21.1
v1.21.0
v1.20.7
v1.20.6
v1.20.5
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.18.7
v1.18.6
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.1
v1.17.0
v1.16.0
v1.15.1
v1.15.0
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.1
v1.12.0
v1.11.1
v1.11.0
v1.10.4
v1.10.3
v1.10.2
v1.10.1
v1.10.0
v1.9.10
v1.9.9
v1.9.8
v1.9.7
v1.9.6
v1.9.5
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.8.4
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.7.1
v1.7.0
v1.6.22
v1.6.21
v1.6.20
v1.6.19
v1.6.18
v1.6.17
v1.6.16
v1.6.15
v1.6.14
v1.6.13
v1.6.12
v1.6.11
v1.6.10
v1.6.9
v1.6.8
v1.6.7
v1.6.6
v1.6.5
v1.6.4
v1.6.3
v1.6.2
v1.6.1
v1.6.0
v1.5.5
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.0
v1.3.11
v1.3.10
v1.3.9
v1.3.8
v1.3.7
v1.3.6
v1.3.5
v1.3.4
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.2.9
v1.2.8
v1.2.7
v1.2.6
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0
1.1.7
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.0.0
1.0.0-beta1
0.1.5
0.1.4
0.1.3
0.1.2
0.1.1
0.1.0
0.0.9
0.0.8
0.0.7
0.0.6
0.0.5
0.0.4
0.0.3
0.0.2
0.0.1-beta
Labels
Clear labels   
awaiting feedback

   
bug

   
docker

   
documentation

   
enhancement

   
github_actions

   
invalid

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
wontfix
No labels
awaiting feedback
bug
docker
documentation
enhancement
github_actions
invalid
pull-request
question
stale
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/mailpit#12
No description provided.