[Webkit-unassigned] [Bug 191782] New: CSP can block Safari’s default media player UI icons

Fri Nov 16 15:22:43 PST 2018

https://bugs.webkit.org/show_bug.cgi?id=191782

            Bug ID: 191782
           Summary: CSP can block Safari’s default media player UI icons
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: Unspecified
                OS: macOS 10.14
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: code at daniel.priv.no

Created attachment 355140

  --> https://bugs.webkit.org/attachment.cgi?id=355140&action=review

Screenshot

Set the following Content-Security-Policy (CSP) header:
default-src 'none'; img-src 'self'; media-src 'self'; report-uri http://localhost/csp-reports

And a sample document:
<video autoplay controls>
  <source src="./video.mp4" type="video/mp4">
</video>

Expected results:
The video should load and start auto playing. When hovering the video, you should see standard controls and be able to interact with them. This is browser UI and should just work. Works fine in Chromium and Firefox.

Actual results:
The video will autoplay and the default UI toolbars will display. However, the button icons are invisible and the user can’t interact with them. Safari also reports a CSP violation about having blocked data:image/svg files to http://localhost/csp-reports

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181116/8a55f4c7/attachment.html>