CSP and blob:

521 views

Skip to first unread message

VPN Account

unread,

Dec 27, 2015, 3:16:00 PM12/27/15

to Chromium-Extensions-Announce

I'm developing a content-script extension in Chrome Version 47.0.2526.106 m

Trying to play a video from a byte array

var mediaSrc = new window.MediaSource();

var url = URL.createObjectURL(mediaSrc);

...

var vidsrc = mediaSrc.addSourceBuffer('video/mp4');

vidsrc.appendBuffer(mp4buffer);

where mp4buffer is an arrayBuffer from an http response

my manifest.json has the following line:

"content_security_policy": "media-src 'self' blob:; script-src 'self'; object-src 'self'",

however, I keep getting this error when I run the extension:

Refused to load media from 'blob:https%3A//www.flickr.com/55c079e8-f299-44fe-8a0c-663b692947a2' because it violates the following Content Security Policy directive: "default-src 'unsafe-inline' https://*.flickr.com https://*.flickr.net https://*.yimg.com https://bs.serving-sys.com https://*.braintreegateway.com https://*.kaptcha.com https://*.paypal.com https://*.conviva.com http://api.flickr.com https://*.pinterest.com". Note that 'media-src' was not explicitly set, so 'default-src' is used as a fallback.

thanks,

-v

VPN Account

unread,

Dec 27, 2015, 7:41:27 PM12/27/15

to Chromium-Extensions-Announce

I should add: I get that the flickr page has a CSP header, but I thought extensions were supposed to override those (or at least append their own csp).

Reply all

Reply to author

Forward

0 new messages