{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 聊天终结者 的问题《Content-Security-Policy object-src blob》','https://www.manongdao.com/q-1271195.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
When using a content-security-policy and I try to follow a process in Chrome 41 (beta) using window.URL.createObjectURL I get an error like the following:
Refused to load plugin data from 'blob:http%3A//localhost%3A7000/f59612b8-c760-43a4-98cd-fe2a44648393' because it violates the following Content Security Policy directive: "object-src blob://*"
With a content security policy that restricts object-src or otherwise default-src one can reproduce the issue (with jQuery for convenience) like this:
blob = new Blob(
["%PDF-1.\ntrailer<</Root<</Pages<</Kids[<</MediaBox[0 0 3 3]>>]>>>>>>"],
{ type: "application/pdf" })
$("<embed>").attr("src", window.URL.createObjectURL(blob))
.appendTo(document.body)
It seems from the spec that this should work, as it does for data://*. I have tried also blob, blob:, blob:*, blob:http*, blob:http:*, blob:http://*, but to no avail.
What does work, but for apparent reasons is undesirable, is object-src *.
Has anyone had any success getting blobs to load with a content security policy? Is this a problem upstream, or have I overlooked something?
For Chrome 47.0.2526.73:
default-src * blob:;
worked for me
The spec compliant answer is
object-src 'self' blob:blob:should only matchblob:explicitly, and not'self'or*. This is a bug in Chrome, and was recently fixed in Firefox 40.