Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Content-Security-Policy object-src blob

When using a content-security-policy and I try to follow a process in Chrome 41 (beta) using window.URL.createObjectURL I get an error like the following:

Refused to load plugin data from 'blob:http%3A//localhost%3A7000/f59612b8-c760-43a4-98cd-fe2a44648393' because it violates the following Content Security Policy directive: "object-src blob://*"

With a content security policy that restricts object-src or otherwise default-src one can reproduce the issue (with jQuery for convenience) like this:

blob = new Blob(
   ["%PDF-1.\ntrailer<</Root<</Pages<</Kids[<</MediaBox[0 0 3 3]>>]>>>>>>"],
   { type: "application/pdf" })
$("<embed>").attr("src", window.URL.createObjectURL(blob))
  .appendTo(document.body)

It seems from the spec that this should work, as it does for data://*. I have tried also blob, blob:, blob:*, blob:http*, blob:http:*, blob:http://*, but to no avail.

What does work, but for apparent reasons is undesirable, is object-src *.

Has anyone had any success getting blobs to load with a content security policy? Is this a problem upstream, or have I overlooked something?

like image 501
Brian M. Hunt Avatar asked Feb 12 '15 01:02

Brian M. Hunt


1 Answers

The spec compliant answer is object-src 'self' blob:

blob: should only match blob: explicitly, and not 'self' or *. This is a bug in Chrome, and was recently fixed in Firefox 40.

like image 111
Adria Avatar answered Nov 19 '22 22:11

Adria