225865 2021-05-17 04:30:57 -0700 CSP sandbox policy header disables built-in media player 2023-08-27 23:36:47 -0700 1 1 1 Unclassified WebKit Media Safari 14 Other All RESOLVED DUPLICATE 223422 https://bugs.webkit.org/show_bug.cgi?id=223422 https://bugs.webkit.org/show_bug.cgi?id=191782 InRadar P2 Normal --- 1 fnowak webkit-unassigned annevk bfulgham eric.carlson hi jer.noble webkit-bug-importer oldest_to_newest 1760722 0 fnowak 2021-05-17 04:30:57 -0700 We have encountered problems with introducing "Content-Security-Policy: sandbox" header to some resources. The issue is described here: https://jira.atlassian.com/browse/JRASERVER-72275. Steps to reproduce: 1. Request for audio/video file and get a response with "Content-Security-Policy: sandbox" HTTP header set. Actual results: 1. Console shows: "Blocked script execution in 'http://localhost:8080/secure/attachment/10000/100MBVideo.mp4' because the document's frame is sandboxed and the 'allow-scripts' permission is not set." 2. The video does not play. Expected results: 1. Video plays without issues. Workaround: 1. Set "Content-Security-Policy: sandbox allow-scripts" header for affected browsers. The same issue occurs both in OS X and iOS versions of Safari, as well as iOS version of Chrome, thus we think that the problem lies within WebKit itself. Firefox on OS X works without any issues. However, Chrome for OS X requires `allow-same-origin` instead of `allow-scripts` to function properly. Could you please confirm if this is a bug or desired behaviour? 1763093 1 webkit-bug-importer 2021-05-24 04:31:17 -0700 <rdar://problem/78394877> 1973863 2 annevk 2023-08-27 23:36:47 -0700 It's not desired behavior. It appears this was fixed by bug 223422. Please comment/reopen if that's not the case. *** This bug has been marked as a duplicate of bug 223422 ***