Bug 225865 - CSP sandbox policy header disables built-in media player
Summary: CSP sandbox policy header disables built-in media player
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Media (show other bugs)
Version: Safari 14
Hardware: Other All
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-05-17 04:30 PDT by fnowak@atlassian.com
Modified: 2021-05-24 04:31 PDT (History)
5 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description fnowak@atlassian.com 2021-05-17 04:30:57 PDT
We have encountered problems with introducing "Content-Security-Policy: sandbox" header to some resources.
The issue is described here: https://jira.atlassian.com/browse/JRASERVER-72275.

Steps to reproduce:
1. Request for audio/video file and get a response with "Content-Security-Policy: sandbox" HTTP header set.

Actual results:
1. Console shows: "Blocked script execution in 'http://localhost:8080/secure/attachment/10000/100MBVideo.mp4' because the document's frame is sandboxed and the 'allow-scripts' permission is not set."
2. The video does not play.

Expected results:
1. Video plays without issues.

Workaround:
1. Set "Content-Security-Policy: sandbox allow-scripts" header for affected browsers.


The same issue occurs both in OS X and iOS versions of Safari, as well as iOS version of Chrome, thus we think that the problem lies within WebKit itself.
Firefox on OS X works without any issues. However, Chrome for OS X requires `allow-same-origin` instead of `allow-scripts` to function properly.

Could you please confirm if this is a bug or desired behaviour?
Comment 1 Radar WebKit Bug Importer 2021-05-24 04:31:17 PDT
<rdar://problem/78394877>