ActionCable doesn't work on Safari due to connect-src: 'self' having a different origin with a different protocol

[joshmcarthur]

• CSP: connect-src 'self' and websockets w3c/webappsec-csp#7
• Configure Content Security Policy for Action Cable rails/rails#31309

connect-src: 'self' only allows connections to the same origin - which wss://my-host-name is not, since the protocol is different. This is fixed in an upcoming Safari version, but is probably worth fixing internally as well since it's perfectly balanced between not being picked up in testing potentially, and also can have quite a large impact (no Turbo broadcasts or other ActionCable stuff will work)

If we have a reference to a host to mail to, we might be able to use that?

[eoinkelly]

w3c/webappsec-csp#7 (comment) says

this should be fixed in the next Safari release 16 (maybe even 15.5 or 15.6 if those will happen)

The current version of Safari is 15.6. Can we verify that this issue is fixed in 15.6?

I'm tempted to do nothing here because this problem is going away and any app built with this template would be at least 3-6 months from launch which gives users even more time to upgrade their Safari.