Safari blocking JavaScript due to misinterpreting Nginx settings

Safari is blocking JavaScript originating at 'self', from Google and also websockets.


Error message:


[Error] Refused to connect to wss://www.haaksploits.com/socket/websocket?token=undefined&vsn=2.0.0 because it does not appear in the connect-src directive of the Content Security Policy.
[Error] SecurityError (DOM Exception 18): The operation is insecure.
(anonymous function) (app-91b11ab6e9ecf9a1f6d1da381ed10ccc.js:2:9470)
value (app-91b11ab6e9ecf9a1f6d1da381ed10ccc.js:2:9470)
(anonymous function) (app-91b11ab6e9ecf9a1f6d1da381ed10ccc.js:2:19153)
u (app-91b11ab6e9ecf9a1f6d1da381ed10ccc.js:1:532)
(anonymous function) (app-91b11ab6e9ecf9a1f6d1da381ed10ccc.js:2:18401)
u (app-91b11ab6e9ecf9a1f6d1da381ed10ccc.js:1:532)
Global Code (app-91b11ab6e9ecf9a1f6d1da381ed10ccc.js:2:19661)
[Error] Refused to connect to https://www.google-analytics.com/j/collect?v=1&_v=j65&a=814839380&t=pageview&_s=1&dl=https%3A%2F%2Fwww.haaksploits.com%2Funclassified&ul=en-gb&de=UTF-8&dt=Haaksploits%3A%20Security%20Knowledge%20Base%20and%20Learning%20Repository&sd=24-bit&sr=1440x900&vp=1264x444&je=1&fl=27.0%20r0&_u=AACAAUQAIAAAAC~&jid=2118171923&gjid=53871193&cid=721557804.1510784240&tid=UA-108417664-1&_gid=1899688340.1510784240&_r=1&gtm=ube&z=1702695425 because it does not appear in the connect-src directive of the Content Security Policy.


The Nginx headers are set to allow these files:


add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' www.googletagmanager.com www.google-analytics.com; img-src 'self' www.google-analytics.com stats.g.doubleclick.net; style-src 'self' 'unsafe-inline' fonts.googleapis.com; frame-src 'self'; connect-src 'self' wss://haaksploits.com wws://www.haaksploits.com; font-src 'self' fonts.googleapis.com fonts.gstatic.com; object-src 'none' ";


Does anyone know why this might be occuring and what the steps are to workaround without significantly compromising site security? Given the nature of and core demographic for the site, security is very, very important to me.


Additional info: I use the Cloudflare free service for SSL certification and additional security. The Safari version is 11.0.1 (13604.3.5).