Bug 191782 - CSP can block Safari’s default media player UI icons
Summary: CSP can block Safari’s default media player UI icons
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: Safari Technology Preview
Hardware: Unspecified macOS 10.14
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-11-16 15:22 PST by Daniel
Modified: 2019-02-25 03:11 PST (History)
9 users (show)

See Also:


Attachments
Screenshot (4.17 KB, image/png)
2018-11-16 15:22 PST, Daniel
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel 2018-11-16 15:22:43 PST
Created attachment 355140 [details]
Screenshot

Set the following Content-Security-Policy (CSP) header:
default-src 'none'; img-src 'self'; media-src 'self'; report-uri http://localhost/csp-reports

And a sample document:
<video autoplay controls>
  <source src="./video.mp4" type="video/mp4">
</video>

Expected results:
The video should load and start auto playing. When hovering the video, you should see standard controls and be able to interact with them. This is browser UI and should just work. Works fine in Chromium and Firefox.

Actual results:
The video will autoplay and the default UI toolbars will display. However, the button icons are invisible and the user can’t interact with them. Safari also reports a CSP violation about having blocked data:image/svg files to http://localhost/csp-reports
Comment 1 Radar WebKit Bug Importer 2018-11-17 12:16:14 PST
<rdar://problem/46151484>