Menu
I want to load a video from Vimeo in a WebView. It works, but the preview image doesn't load and I get this error:
I/chromium: [INFO:CONSOLE(0)] "Refused to load the image 'android-webview-video-poster:default_video_poster/-5228946977756841864' because it violates the following Content Security Policy directive: "img-src https://i.vimeocdn.com https://secure-b.vimeocdn.com https://f.vimeocdn.com https://vimeo.com https://sb.scorecardresearch.com https://ssl.google-analytics.com https://secure.gravatar.com https://i0.wp.com https://i1.wp.com https://i2.wp.com". ", source: https://player.vimeo.com/video/172374044 (0)
How can I fix it?
219
WebView is in common use in Android applications. Although default configuration is secure, developers tend to introduce changes in its configuration which may introduce security risks.
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks.
This interface was deprecated in API level 12. This interface is now obsolete.
WebView is single-process, so any security vulnerability in the renderer engine practically grants the malicious code the same rights as your application has. So basically, the rule #1 for safe WebView use is to only load trusted content inside it.
Add the following to Content-Security-Policy meta tag img-src directive:
android-webview-video-poster:
As in:
<meta http-equiv="Content-Security-Policy" content="default-src * gap:; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src *; img-src * data: blob: android-webview-video-poster:; style-src * 'unsafe-inline';">
You can add a poster attribute to your <video> tag. An empty image works. The default android-webview-video-poster looks awful anyway.
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
