Adding a custom safe app with a localhost url that contains a port no longer works.

[aLANparty]

Hi, I'm not sure where exactly to post this so my apologies if this is not the correct place.

We ran into an issue that started I think today, but possibly as far back as a week. We use a custom gnosis safe app for a few people to manage an nft project and until just recently we have been using the app with a url of http://localhost:3000 which is the default port used by our js framework for local dev mode.

We first noticed today that this now fails with an error in the console about a CSP restriction on frame-src http://*, https://*. Which blocks the app from loading in the iframe.

To get around the issue we found that if we run the app or port 80 instead of 3000 we can add the app with the url http://localhost and continue to use it as we have been without issue. I should note that http://localhost:80 also fails to load.

So my guess is that something has changed related to the frame-src restriction that prevents urls with ports in them from loading.

Everything is working fine for us with the switch to http://localhost, but I wanted to submit this incase this was an unintended change.

Thanks.

[parius]

@aLANparty thanks for reporting and sorry for returning back with a delay.
The issues was known to us, and the fix went live on 28th Aug.