Connect-src in default.js

So before opening an issue on Github, I wanted to check here first if I understood correctly and it is indeed a bug and not just a misunderstanding.
The concerning file is lib/defaults.js and the following code lines:
var domain = ' ' + Env.httpUnsafeOrigin; [...] "connect-src 'self' blob: " + **(/^https:/.test(domain)? 'wss:': domain.replace('http://', 'ws://'))** + ' ' + domain + sandbox + accounts_api,
We check if our domain starts with "https:". This can never be true, because we set the variable to start with a space. So then it tries to replace "http://" with "ws://". If we only allow https, then this can also not happen and it just returns our variable domain which leads to the domain being listed twice in connect-src.

Also even if our ternary was true, we would only append 'wss:', not 'wss://safedomain.com'.

Hello,

Thanks for reaching out! We are aware of that behavior and will soon be planning changes on that regard.

Please bear with us while we take the necessary time to address this. 🙂

Sure, thank you for answering. I'm just curious as a new dev, was the behavior intentional? And why put a space in front of domain?

Hello,

As I wasn't here at the time this code was written, and I'm not responsible for this part of CryptPad, I can't answer your question. Sorry for that!

However, this has been fixed. 😊