New issue
Advanced search Search tips

Issue 878415 link

Starred by 1 user
Status: Fixed
Owner:
steimel@chromium.org
Closed: Aug 29
Cc:
vamshi.kommuri@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 3
Type: Bug


Show other hotlists

Hotlists containing this issue:
Modern-Media-Controls


Sign in to add a comment

Video loading spinner broken by CSP

Project Member Reported by alogvi...@yandex-team.ru, Aug 28 
Chrome Version: 70.0.3536.0 (Developer Build) (64-bit)
OS: Mac OS X

What steps will reproduce the problem?
(1) Open attached HTML file

What is the expected result?

A HTML video is displayed. While the video is loaded, spinner is displayed over the "play" button.

What happens instead?

An HTML video is displayed. While the video is loaded, spinner is not displayed over the "play" button.
Additionally, console log contains the following messages:

Refused to load the image 'data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPCEtLSBHZW5lcmF0b3I6IEFkb2JlIElsbHVzdHJhdG9yIDE5LjIuMSwgU1ZHIEV4cG9ydCBQbHVnLUluIC4gU1ZHIFZlcnNpb246IDYuMDAgQnVpbGQgMCkgIC0tPgo8c3ZnIHZlcnNpb249IjEuMSIgaWQ9IkxheWVyXzEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4IgoJIHZpZXdCb3g9IjAgMCAxOTYgMTk2IiBzdHlsZT0iZW5hYmxlLWJhY2tncm91bmQ6bmV3IDAgMCAxOTYgMTk2OyIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik0xNDcsOThjMCwxOS42LTExLjUsMzYuNS0yOC4yLDQ0LjRsMCwwYy0wLjEsMC0wLjIsMC4xLTAuMywwLjEKCWMwLjEsMCwwLjItMC4xLDAuMy0wLjFsLTEuNy0zLjZDMTMyLjQsMTMxLjYsMTQzLDExNiwxNDMsOThjMC0yNC45LTIwLjEtNDUtNDUtNDV2LTRDMTI1LjEsNDksMTQ3LDcwLjksMTQ3LDk4eiIvPgo8L3N2Zz4K' because it violates the following Content Security Policy directive: "default-src https://www.w3schools.com". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

Refused to load the image 'data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPCEtLSBHZW5lcmF0b3I6IEFkb2JlIElsbHVzdHJhdG9yIDE5LjIuMSwgU1ZHIEV4cG9ydCBQbHVnLUluIC4gU1ZHIFZlcnNpb246IDYuMDAgQnVpbGQgMCkgIC0tPgo8c3ZnIHZlcnNpb249IjEuMSIgaWQ9IkxheWVyXzEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4IgoJIHZpZXdCb3g9IjAgMCAxOTYgMTk2IiBzdHlsZT0iZW5hYmxlLWJhY2tncm91bmQ6bmV3IDAgMCAxOTYgMTk2OyIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik05OCw0OXY0Yy0yNC45LDAtNDUsMjAuMS00NSw0NQoJYzAsMTgsMTAuNiwzMy42LDI1LjksNDAuOGwtMS43LDMuNmMwLjEsMCwwLjIsMC4xLDAuMywwLjFjLTAuMSwwLTAuMi0wLjEtMC4zLTAuMWwwLDBDNjAuNSwxMzQuNSw0OSwxMTcuNiw0OSw5OAoJQzQ5LDcwLjksNzAuOSw0OSw5OCw0OXoiLz4KPC9zdmc+Cg==' because it violates the following Content Security Policy directive: "default-src https://www.w3schools.com". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

The problem is that the document uses CSP that forbids data urls, so spinner image URLs can not be loaded:

<meta http-equiv="Content-Security-Policy" content="default-src https://www.w3schools.com;">

This problem is similar to https://bugs.chromium.org/p/chromium/issues/detail?id=777848, in https://chromium-review.googlesource.com/741586, this was fixed for -webkit-image-set but here this is just a plain image: https://cs.chromium.org/chromium/src/ui/file_manager/video_player/css/video_player.css?l=56

Apparently, a similar fix is needed for CSSImageValue.
index1.html
333 bytes View Download

Comment 1 by steimel@chromium.org, Aug 28

Owner: steimel@chromium.org
Status: Assigned (was: Untriaged)

Comment 2 by steimel@chromium.org, Aug 29

Status: Started (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, Aug 29 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/97ca57e38276d1c6e5590f9ce36e455fd3410673

commit 97ca57e38276d1c6e5590f9ce36e455fd3410673
Author: Tommy Steimel <steimel@chromium.org>
Date: Wed Aug 29 20:19:00 2018

[Media Controls] Define loading mask background in UA sheet

This CL changes the loading panel mask backgrounds to have their images
defined in the main UA CSS instead of the inserted stylesheet. This
fixes an issue where the loading spinner was broken by content security
policy.

Bug:  878415 
Change-Id: Iaa78fbe810fe900d3abe39d03302250b7b9fade7
Reviewed-on: https://chromium-review.googlesource.com/1195719
Reviewed-by: Becca Hughes <beccahughes@chromium.org>
Commit-Queue: Tommy Steimel <steimel@chromium.org>
Cr-Commit-Position: refs/heads/master@{#587270}
[modify] https://crrev.com/97ca57e38276d1c6e5590f9ce36e455fd3410673/third_party/blink/renderer/modules/media_controls/elements/media_control_loading_panel_element.cc
[modify] https://crrev.com/97ca57e38276d1c6e5590f9ce36e455fd3410673/third_party/blink/renderer/modules/media_controls/resources/modernMediaControls.css
[modify] https://crrev.com/97ca57e38276d1c6e5590f9ce36e455fd3410673/third_party/blink/renderer/modules/media_controls/resources/modernMediaControls_loading.css

Comment 4 by steimel@chromium.org, Aug 29

Status: Fixed (was: Started)

Comment 5 by vamshi.kommuri@chromium.org, Aug 30

Cc: vamshi.kommuri@chromium.org
Labels: TE-Verified-M70 TE-Verified-70.0.3537.0
Verified the fix on Mac 10.13.1 using Chrome version #70.0.3537.0 as per the comment #0.
Attaching screen cast for reference.
Observed the loading spinner and no errors are seen in console.
Hence, the fix is working as expected. 
Adding the verified labels.
Note: Able to reproduce the issue on chrome version with out fix.

Thanks...!!

Sign in to add a comment