RESOLVED DUPLICATE of bug 223422 191782
CSP can block Safari’s default media player UI icons 
https://bugs.webkit.org/show_bug.cgi?id=191782
Summary CSP can block Safari’s default media player UI icons
Daniel
Reported 2018-11-16 15:22:43 PST
Created attachment 355140 [details] Screenshot Set the following Content-Security-Policy (CSP) header: default-src 'none'; img-src 'self'; media-src 'self'; report-uri http://localhost/csp-reports And a sample document: <video autoplay controls> <source src="./video.mp4" type="video/mp4"> </video> Expected results: The video should load and start auto playing. When hovering the video, you should see standard controls and be able to interact with them. This is browser UI and should just work. Works fine in Chromium and Firefox. Actual results: The video will autoplay and the default UI toolbars will display. However, the button icons are invisible and the user can’t interact with them. Safari also reports a CSP violation about having blocked data:image/svg files to http://localhost/csp-reports
Attachments
Screenshot (4.17 KB, image/png)
2018-11-16 15:22 PST, Daniel 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2018-11-17 12:16:14 PST
<rdar://problem/46151484>
moirelein
Comment 2 2019-07-16 01:19:22 PDT
As a workaround I use the CSP policy `img-src 'self' data:`
TokerX
Comment 3 2020-10-04 06:49:52 PDT
The same happens in Chrome on iOS, so it's not a Safari bug, but most likely, as usual, one of Apple's weird policies.
Sam Sneddon [:gsnedders]
Comment 4 2022-02-14 19:06:11 PST
Sorry for the forward dupe, this got resolved in a different issue. *** This bug has been marked as a duplicate of bug 223422 ***
Note You need to log in before you can comment on or make changes to this bug.