Content-Security-Policy diagnostics failing with nginx-advanced config

stillgreenmoss

Hello! We're setting up a large, public Cryptpad instance. We're currently configuring test instances to make sure we understand all the configuration parameters perfectly. Our test instance is here: https://0xfad.net/checkup

Two of the Content-Security-Policy tests fail, seemingly because of unexpected contents of the $connectSrc string in our Nginx config. However our Nginx config is following the advanced template, with the recommended configuration added to account for dedicated api.0xfad.net and files.0xfad.net subdomains for future growth. Here's that part of our config:

set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain} https://${api_domain} https://${files_domain}";

My question is, are there steps we should take to change the diagnostics themselves in this case, or is there something about this configuration that we're misunderstanding?

The host is Debian 13, the install strategy is the official non-docker strategy.

stillgreenmoss

One of my collaborators and I have looked at this more closely, including looking at how the tests work and trying out different configurations.
Through doing this we've come to understand that these tests failing is expected, because there's more undocumented configuration that would be necessary in order to actually serve websocket traffic and encrypted blobs over subdomains. This makes total sense, and I'm a bit embarrassed I didn't understand that initially. It seems the tests are smart, and would figure out that that was what we were doing in that case.

This question is resolved for me, but please feel free to let me know if there's something else I'm misunderstanding.