I'm in a bit of a pinch, developing a fund broker site.
As part of our security policies, CSP is implemented across our servers, but now, we're implementing communication with desktop software supplied by Scandinavian banks (BankID).
With this, a problem arises: to open the BankID desktop software, a link should be clicked with a custom protocol, looking like this:
bankid://?orderref=[GUID]&autostarttoken=[GUID]
As I'm sure you understand, I'm having serious problems allowing this link through our CSP policies. My searches have yielded no results, and I have run out of ideas.
I have tried attempting to allow a wildcard domain under the protocol thus:
Content-Security-Policy: default-src 'self' bankid://*;
It works perfectly if I turn off CSP, so it's definitely the issue.
Anyone have any experience with this? Any help is greatly appreciated.
EDIT
After a few more hours searching, I found the following on the Mozilla Wiki:
We need an application delivery mechanism that provides assurances on app integrity and authenticity, and also allows for well-defined application & privilege scope enforcement so integrity can be maintained at runtime.
And further:
Privileged and certified apps will be accessed via a unique scheme (app://). The domain will correspond to the app id.
I'm not sure if this would be applicable, but if I read this right, it means that Mozilla are considering how to tackle this very issue.
It seems that you were very close to the solution, you only have to alter the syntax a little bit. By removing the slashes it should work just fine.
To summarize: