poster attribute for video element has stricter Mixed Content policies 
https://bugs.webkit.org/show_bug.cgi?id=258602
Summary poster attribute for video element has stricter Mixed Content policies
Benjamin
Reported 2023-06-27 21:45:37 PDT
If you add a poster attribute to the video element it dosen't load the poster, but works fine in other browsers <video poster="http://camendesign.com/code/video_for_everybody/poster.jpg"> <source src="https://www.w3schools.com/html/mov_bbb.mp4" type="video/mp4"> <p>Your browser does not support the video tag.</p> </video>
Attachments
rendering in safari, firefox, chrome (1.10 MB, image/png)
2023-06-29 00:02 PDT, Karl Dubost 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2023-06-28 19:52:59 PDT
I cannot reproduce this with Safari 17 beta. There is something weird going on with the poster size, as it momentarily shows up having the same size as in Chrome, and then becomes smaller.
Karl Dubost
Comment 2 2023-06-29 00:02:10 PDT
Created attachment 466857 [details] rendering in safari, firefox, chrome With ``` data:text/html,<video poster="http://camendesign.com/code/video_for_everybody/poster.jpg"><source src="https://www.w3schools.com/html/mov_bbb.mp4" type="video/mp4"><p>Your browser does not support the video tag.</p></video> ``` Safari Technology Preview 173 19616.1.20.2 Firefox Nightly 116.0a1 11623.6.28 Google Chrome Canary 117.0.5859.0 5859.0 The behavior is totally different.
Karl Dubost
Comment 3 2023-06-29 00:13:41 PDT
with the data: URL the console says: Refused to load http://camendesign.com/code/video_for_everybody/poster.jpg because it does not appear in the img-src directive of the Content Security Policy. which is interesting because data:text/html,<img src="http://camendesign.com/code/video_for_everybody/poster.jpg"> will work. https://searchfox.org/wubkat/rev/0a80aee13182b2feee32d8519e716edf3e876e18/Source/WebCore/html/HTMLVideoElement.cpp#249-262
Karl Dubost
Comment 4 2023-06-29 00:17:58 PDT
Ha this is working. data:text/html,<video poster="https://camendesign.com/code/video_for_everybody/poster.jpg"><source src="https://www.w3schools.com/html/mov_bbb.mp4" type="video/mp4"><p>Your browser does not support the video tag.</p></video> aka https for the poster URL instead of http. So the bug is different. It's more about Content Security Policy for the poster attribute.
Alexey Proskuryakov
Comment 5 2023-06-29 08:45:06 PDT
To be clear, I was testing with a local file, containing the code from bug description.
Benjamin
Comment 6 2023-06-29 10:43:40 PDT
I have updated the URL to a codepen illustrating the issue https://codepen.io/benjaminhoegh/pen/NWEjPXE
Radar WebKit Bug Importer
Comment 7 2023-07-04 21:46:17 PDT
<rdar://problem/111765501>
Karl Dubost
Comment 8 2023-07-05 16:03:56 PDT
after discussions with Anne, it's more about mixed content.
Anne van Kesteren
Comment 9 2023-07-05 16:11:32 PDT
In particular we should be upgrading this request, similar to <img src>.
Note You need to log in before you can comment on or make changes to this bug.