CSP with video tag
Reported by
dante3...@gmail.com,
Jan 11
|
|||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0 Steps to reproduce the problem: 1. Create a page with CSP directives (all to 'self') using the video tag (example here: https://nicolas-hoffmann.net/bordel/csp-bug.php) 2. display it 3. see CSP errors in the console What is the expected behavior? Page should not trigger any CSP notification (for images that are browser-related). What went wrong? Chrome triggered a CSP violation on img-src. Note: Adding data: in the directives fixes the problem, see example: https://www.nicolas-hoffmann.net/source/1369-Balise-video-de-HTML5-Alone-in-the-Light-Terragen2.html Did this work before? N/A Does this work in other browsers? Yes Chrome version: 71.0.3578.98 (Build officiel) (64 bits) (cohort: Stable) Channel: n/a OS Version: 10.0 Flash Version: Bug reported here, the error has the same values: 'data:image/svg+xml;base64,PD94bW...'
,
Jan 12
,
Jan 14
,
Jan 16
(6 days ago)
Thanks for the issue... Tried to reproduce the issue on reported chrome version 71.0.3578.98 using Windows 10. Attaching screen-cast for reference. Steps: ------ 1. Launched reported chrome 2. Navigated the URL "https://nicolas-hoffmann.net/bordel/csp-bug.php" and opened Devtools 3. Played the video As we have not observed errors @Reporter: Could you please check the attached screen-cast and let us know if we missed anything from our end. Thanks.!
,
Jan 16
(6 days ago)
Deleted the above comment #5, as the issue updated twice.
,
Jan 16
(6 days ago)
I think I found the difference: I have the same exact config as you version, etc.), BUT it seems to be caused by Ghostery extension. If I try without Ghostery, no CSP violation. See screencast here: http://recordit.co/QQzTh5oA2q Could you confirm? Btw it should not: extensions should not interfere, right?
,
Jan 16
(6 days ago)
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 16
(6 days ago)
I don't get message error on https://nicolas-hoffmann.net/bordel/csp-bug.php but I get message error on my website https://math-coaching.com http://recordit.co/AvfKYVC5K1 On the record I show message error from console and from CSP report. I don't have Ghostery extension. With all my extension switch off I still get same message error in my console. Version 71.0.3578.98 (Build officiel) (64 bits) Windows 10 Could you please make a test on https://math-coaching.com ? Pay attention that message error is triggered when the page is loaded for the first time, not when I push play button on video.
,
Jan 16
(6 days ago)
https://math-coaching.com/ reproduces the issue on Windows 10 1709 using Chrome 71.0.3578.98 (Official Build) (64-bit) (cohort: Stable).
,
Yesterday
(45 hours ago)
I can replicate the error on https://math-coaching.com/. It looks like the `<video>` element is creating internal elements to render the loading spinner, and inlines the background image for these elements into the UA stylesheet. Ideally, we'd allow those requests to bypass the page's CSP; I suspect that's going to be more work than anyone has time for at the moment, but it's clearly the right behavior to aim for. Marking this as available. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by dante3...@gmail.com
, Jan 11