I want to load a video from Vimeo in a WebView. It works, but the preview image doesn't load and I get this error:
I/chromium: [INFO:CONSOLE(0)] "Refused to load the image 'android-webview-video-poster:default_video_poster/-5228946977756841864' because it violates the following Content Security Policy directive: "img-src https://i.vimeocdn.com https://secure-b.vimeocdn.com https://f.vimeocdn.com https://vimeo.com https://sb.scorecardresearch.com https://ssl.google-analytics.com https://secure.gravatar.com https://i0.wp.com https://i1.wp.com https://i2.wp.com". ", source: https://player.vimeo.com/video/172374044 (0)
How can I fix it?
WebView is in common use in Android applications. Although default configuration is secure, developers tend to introduce changes in its configuration which may introduce security risks.
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks.
This interface was deprecated in API level 12. This interface is now obsolete.
WebView is single-process, so any security vulnerability in the renderer engine practically grants the malicious code the same rights as your application has. So basically, the rule #1 for safe WebView use is to only load trusted content inside it.
Add the following to Content-Security-Policy
meta tag img-src
directive:
android-webview-video-poster:
As in:
<meta http-equiv="Content-Security-Policy" content="default-src * gap:; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src *; img-src * data: blob: android-webview-video-poster:; style-src * 'unsafe-inline';">
You can add a poster
attribute to your <video>
tag. An empty image works. The default android-webview-video-poster
looks awful anyway.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With