Refused to connect to '<URL>' because it violates the following Content Security Policy directive

Hi there,

I have deployed a Unity WebGL build on a Linux Ubuntu server. My game is a turn-based multiplayer game, and I am using Unity Services to handle networking. The network topology follows a client-server model, and I’m using the Protocol Type as Relay Unity Service in the Unity Transport Script and the “Use Web Sockets” bool is checked to true.

Initially, the client was connecting to the server through the Matchmaker service. However, once I published the WebGL build using the HTTPS protocol, the client was no longer able to connect via Matchmaker.

To resolve this, I switched to using Unity Relay in combination with the Lobby service to establish the connection between the client and server as discussed here, which worked correctly in my local environment.

However, after deploying the build to the Ubuntu server and testing the released version of the WebGL game, I encountered the following error:

BuildDeploy.framework.js.gz:9 
 Refused to connect to 'wss://6799269696119042597-asia-northeast1.relay.cloud.unity3d.com:37011/' because it violates the following Content Security Policy directive: "default-src https: data: 'unsafe-inline' 'unsafe-eval' 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

I have tried different solutions for that Like adding headers via Nginx:

add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval'; connect-src 'self' https: wss://*.relay.cloud.unity3d.com;" always;

Also

add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval' 'self'; connect-src https: data: 'self' wss://*.relay.cloud.unity3d.com:37011;";

Also verified additional Unity relay Domains as:

connect-src https: data: 'self' wss://*.relay.cloud.unity3d.com:37011 wss://*.unity3d.com;

I am still in the process of figuring out how to resolve this issue. As shown in the attached images, the Lobby is successfully created, and the client connects via Unity Relay. However, after that, I encounter an error that prevents the game from starting and stops the client from connecting to the server.

image1891×627 69.4 KB

If anyone has encountered this issue before, I would appreciate your guidance. Additionally, if I am using incorrect domains for Unity Relay or any other Unity Multiplayer Services, please let me know.

I have resolved the issue, and the client is now successfully connecting to the server.

The issue arose due to conflicting Content Security Policy (CSP) headers: your custom Nginx CSP explicitly allowed WebSocket connections (wss://) and Unity Relay services via connect-src, but Certbot’s SSL configuration injected a second CSP header that lacked these rules, causing browsers to enforce both policies. Since Certbot’s header defaulted to blocking non-whitelisted connections (including WebSockets), the conflict prevented Unity multiplayer services from functioning. By identifying and removing the duplicate CSP header from Certbot’s configuration, we ensured only your intended policy (with proper WebSocket permissions) was applied, resolving the conflict and restoring connectivity. This fix highlights the importance of auditing inherited headers to avoid unintended security rule clashes.

Did you fix this? I’m running into the same issues for leaderboards. It was working fine earlier today but now I’m getting these CSP errors and I haven’t changed any code.

Yes, we have resolved the error. It was not caused by the code but by the deployment setup. The issue occurred due to duplicate Content Security Policy (CSP) headers in Certbot’s configuration. Removing the duplicate CSP header fixed the problem, and it was resolved by our DevOps team.

Hmm I’m having a similar issue but for leaderboards on my WegGL build on unity play. The weird thing is that the same exact build works correctly on Itch.io but somehow on Unity it doesn’t. Do you have any idea of what it could be? I made a full post here: Unity Play WebGL build suddently can't fetch leaderboard because of Content Security Policy and works fine locally

but not answers yet. I’m thinking it has to be a Unity Play thing. I tried uploading the same build to a new unity play game but still the same thing.

Let me know if you can think of anything.

Thanks

Dear Siflou,

Actually, we were uploading and hosting the game on our own server using our own domain, so we were able to update the CSP headers and remove the duplicate Content Security Policy (CSP) entries from Certbot’s configuration.

In your case, the game is hosted on Unity Play , and you won’t be able to override the CSP settings there. Unity Play enforces its own CSP, which means external API calls outside the allowed list are blocked.

In such a scenario, you would need to use Unity’s approved services or proxy the requests through an allowed domain. Also, I believe that leaderboard functionality is not supported when hosting on Unity Play.

This issue would need to be addressed by the Unity Play DevOps team. For quicker resolution, I recommend contacting Unity Support directly for a consultation rather than continuing the discussion here.

Best regards,
Zeeshan