* SUMMARY All inspector images (file://) are being blocked by CSP 2.0. Warnings like: CONSOLE ERROR Refused to load the image 'file:///Users/pecoraro/Build/Release/WebInspectorUI.framework/Resources/Images/UserInputPrompt.svg' because it violates the following Content Security Policy directive: "img-src *". * NOTES - Inspector includes "file:" and "blob:" image resources.
<rdar://problem/25040640>
Created attachment 273314 [details] [PATCH] Proposed Fix
Created attachment 273315 [details] [PATCH] Better Fix (blob for font-src) Missed out on font-src blob:. Also added for media-src just in case.
Comment on attachment 273315 [details] [PATCH] Better Fix (blob for font-src) View in context: https://bugs.webkit.org/attachment.cgi?id=273315&action=review > Source/WebInspectorUI/UserInterface/Main.html:29 > + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * file: blob:; connect-src *; media-src * blob:; font-src * blob:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'"> This is OK as-is. It is unnecessary to explicitly add "blob:" to the media-src directive as * will match blob URLs.
Comment on attachment 273315 [details] [PATCH] Better Fix (blob for font-src) Clearing flags on attachment: 273315 Committed r197802: <http://trac.webkit.org/changeset/197802>
All reviewed patches have been landed. Closing bug.