I'm in a bit of a pinch, developing a fund broker site.
As part of our security policies, CSP is implemented across our servers, but now, we're implementing communication with desktop software supplied by Scandinavian banks (BankID).
With this, a problem arises: to open the BankID desktop software, a link should be clicked with a custom protocol, looking like this:
bankid://?orderref=[GUID]&autostarttoken=[GUID]
As I'm sure you understand, I'm having serious problems allowing this link through our CSP policies. My searches have yielded no results, and I have run out of ideas.
I have tried attempting to allow a wildcard domain under the protocol thus:
Content-Security-Policy: default-src 'self' bankid://*;
It works perfectly if I turn off CSP, so it's definitely the issue.
Anyone have any experience with this? Any help is greatly appreciated.
EDIT
After a few more hours searching, I found the following on the Mozilla Wiki:
We need an application delivery mechanism that provides assurances on app integrity and authenticity, and also allows for well-defined application & privilege scope enforcement so integrity can be maintained at runtime.
And further:
Privileged and certified apps will be accessed via a unique scheme (app://). The domain will correspond to the app id.
I'm not sure if this would be applicable, but if I read this right, it means that Mozilla are considering how to tackle this very issue.
