Bug 225865
| Summary: | CSP sandbox policy header disables built-in media player | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | fnowak <fnowak> |
| Component: | Media | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | annevk, bfulgham, eric.carlson, hi, jer.noble, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Safari 14 | ||
| Hardware: | Other | ||
| OS: | All | ||
| See Also: |
https://bugs.webkit.org/show_bug.cgi?id=223422 https://bugs.webkit.org/show_bug.cgi?id=191782 |
||
fnowak@atlassian.com
We have encountered problems with introducing "Content-Security-Policy: sandbox" header to some resources.
The issue is described here: https://jira.atlassian.com/browse/JRASERVER-72275.
Steps to reproduce:
1. Request for audio/video file and get a response with "Content-Security-Policy: sandbox" HTTP header set.
Actual results:
1. Console shows: "Blocked script execution in 'http://localhost:8080/secure/attachment/10000/100MBVideo.mp4' because the document's frame is sandboxed and the 'allow-scripts' permission is not set."
2. The video does not play.
Expected results:
1. Video plays without issues.
Workaround:
1. Set "Content-Security-Policy: sandbox allow-scripts" header for affected browsers.
The same issue occurs both in OS X and iOS versions of Safari, as well as iOS version of Chrome, thus we think that the problem lies within WebKit itself.
Firefox on OS X works without any issues. However, Chrome for OS X requires `allow-same-origin` instead of `allow-scripts` to function properly.
Could you please confirm if this is a bug or desired behaviour?
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/78394877>
Anne van Kesteren
It's not desired behavior. It appears this was fixed by bug 223422. Please comment/reopen if that's not the case.
*** This bug has been marked as a duplicate of bug 223422 ***