My https://my-site.com site has some html like the following:
<video src="blob:https://my-site.com/{some-guid}"></video>
In console, I get this error:
Refused to load media from 'blob:https://my-site.com/{some-guid}'
because it violates the following Content Security Policy directive:
"media-src *".
In my head I have this:
<meta http-equiv="Content-Security-Policy" content="media-src * blob:" />
What am I missing? I've even tried the "catch all" (not super safe) value of default-src * 'unsafe-inline' 'unsafe-eval', to no avail.
Using Chrome.
The fact the message says the CSP directive being applied is just media-src *—instead of media-src * blob:—seems to indicate the browser is already getting a stricter policy from the Content-Security-Policy header that trumps the more-liberal policy in your meta element.
So if your site is in fact already being served with a Content-Security-Policy header, then you’d need to change its policy to use a more-liberal media-src directive that allows blob: sources.
You can’t override a more-strict Content-Security-Policy header value with a more-liberal value specified with meta in the document. See https://w3c.github.io/webappsec-csp/#multiple-policies and https://w3c.github.io/webappsec-csp/#meta-element:
Note: A policy specified via a meta element will be enforced along
with any other policies active for the protected resource, regardless
of where they’re specified. The general impact of enforcing multiple
policies is described in §8.1 The effect of multiple policies.
8.1. The effect of multiple policies
The
behavior of an XMLHttpRequest might seem unclear given a site that,
for whatever reason, delivered the following HTTP headers:
Content-Security-Policy: default-src 'self' http://example.com http://example.net;
connect-src 'none';
Content-Security-Policy: connect-src http://example.com/;
script-src http://example.com/
Is a connection to example.com allowed or not? The short answer is
that the connection is not allowed.
Enforcing both policies means that
a potential connection would have to pass through both unscathed. Even
though the second policy would allow this connection, the first policy
contains connect-src 'none', so its enforcement blocks the connection.
The impact is that adding additional policies to the list of policies
to enforce can only further restrict the capabilities of the protected
resource.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 贼婆χ 的文章《What value to use for Content-Security-Policy meta》','https://www.manongdao.com/article-852668.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}