How to prevent Cross-Site WebSocket Hijacking
Content Security Policy 2.0
Content Security Policy provides the
which applies to Ajax/fetch, EventSource and WebSocket.
Content-Security-Policy: connect-src 'self' trusted-parter.com:8080;
But this directive defines a list of origins to which it is allowed to connect from
website. Request from attacker’s site in the case of Cross-Site WebSocket Hijacking through
Content Security Policy is impossible to block. The same as Cross-origin resource sharing
Access-Control-Allow-Origin) does not restrict web sockets.