RESOLVED FIXED 155182
Web Inspector: Images being blocked by CSP 2.0
https://bugs.webkit.org/show_bug.cgi?id=155182
Summary Web Inspector: Images being blocked by CSP 2.0
Joseph Pecoraro
Reported 2016-03-08 12:20:03 PST
* SUMMARY All inspector images (file://) are being blocked by CSP 2.0. Warnings like: CONSOLE ERROR Refused to load the image 'file:///Users/pecoraro/Build/Release/WebInspectorUI.framework/Resources/Images/UserInputPrompt.svg' because it violates the following Content Security Policy directive: "img-src *". * NOTES - Inspector includes "file:" and "blob:" image resources.
Attachments
[PATCH] Proposed Fix (1.46 KB, patch)
2016-03-08 12:21 PST, Joseph Pecoraro
no flags
[PATCH] Better Fix (blob for font-src) (1.52 KB, patch)
2016-03-08 12:29 PST, Joseph Pecoraro
no flags
Radar WebKit Bug Importer
Comment 1 2016-03-08 12:20:50 PST
Joseph Pecoraro
Comment 2 2016-03-08 12:21:33 PST
Created attachment 273314 [details] [PATCH] Proposed Fix
Joseph Pecoraro
Comment 3 2016-03-08 12:29:25 PST
Created attachment 273315 [details] [PATCH] Better Fix (blob for font-src) Missed out on font-src blob:. Also added for media-src just in case.
Daniel Bates
Comment 4 2016-03-08 12:37:08 PST
Comment on attachment 273315 [details] [PATCH] Better Fix (blob for font-src) View in context: https://bugs.webkit.org/attachment.cgi?id=273315&action=review > Source/WebInspectorUI/UserInterface/Main.html:29 > + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * file: blob:; connect-src *; media-src * blob:; font-src * blob:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'"> This is OK as-is. It is unnecessary to explicitly add "blob:" to the media-src directive as * will match blob URLs.
WebKit Commit Bot
Comment 5 2016-03-08 13:56:03 PST
Comment on attachment 273315 [details] [PATCH] Better Fix (blob for font-src) Clearing flags on attachment: 273315 Committed r197802: <http://trac.webkit.org/changeset/197802>
WebKit Commit Bot
Comment 6 2016-03-08 13:56:07 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.