[Webkit-unassigned] [Bug 225865] New: CSP sandbox policy header disables built-in media player
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon May 17 04:30:57 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=225865
Bug ID: 225865
Summary: CSP sandbox policy header disables built-in media
player
Product: WebKit
Version: Safari 14
Hardware: Other
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: Media
Assignee: webkit-unassigned at lists.webkit.org
Reporter: fnowak at atlassian.com
We have encountered problems with introducing "Content-Security-Policy: sandbox" header to some resources.
The issue is described here: https://jira.atlassian.com/browse/JRASERVER-72275.
Steps to reproduce:
1. Request for audio/video file and get a response with "Content-Security-Policy: sandbox" HTTP header set.
Actual results:
1. Console shows: "Blocked script execution in 'http://localhost:8080/secure/attachment/10000/100MBVideo.mp4' because the document's frame is sandboxed and the 'allow-scripts' permission is not set."
2. The video does not play.
Expected results:
1. Video plays without issues.
Workaround:
1. Set "Content-Security-Policy: sandbox allow-scripts" header for affected browsers.
The same issue occurs both in OS X and iOS versions of Safari, as well as iOS version of Chrome, thus we think that the problem lies within WebKit itself.
Firefox on OS X works without any issues. However, Chrome for OS X requires `allow-same-origin` instead of `allow-scripts` to function properly.
Could you please confirm if this is a bug or desired behaviour?
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210517/a5d18533/attachment.htm>
More information about the webkit-unassigned
mailing list