Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

WebView Content Security Policy

I want to load a video from Vimeo in a WebView. It works, but the preview image doesn't load and I get this error:

I/chromium: [INFO:CONSOLE(0)] "Refused to load the image 'android-webview-video-poster:default_video_poster/-5228946977756841864' because it violates the following Content Security Policy directive: "img-src https://i.vimeocdn.com https://secure-b.vimeocdn.com https://f.vimeocdn.com https://vimeo.com https://sb.scorecardresearch.com https://ssl.google-analytics.com https://secure.gravatar.com https://i0.wp.com https://i1.wp.com https://i2.wp.com". ", source: https://player.vimeo.com/video/172374044 (0)

How can I fix it?

like image 219
Alvaro Jose Rios Chaustre Avatar asked Jul 09 '16 01:07

Alvaro Jose Rios Chaustre


People also ask

Is Android WebView secure?

WebView is in common use in Android applications. Although default configuration is secure, developers tend to introduce changes in its configuration which may introduce security risks.

What does content security policy do?

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks.

Is Android WebView deprecated?

This interface was deprecated in API level 12. This interface is now obsolete.

Is WebView safe?

WebView is single-process, so any security vulnerability in the renderer engine practically grants the malicious code the same rights as your application has. So basically, the rule #1 for safe WebView use is to only load trusted content inside it.


2 Answers

Add the following to Content-Security-Policy meta tag img-src directive:

android-webview-video-poster:

As in:

<meta http-equiv="Content-Security-Policy" content="default-src * gap:; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src *; img-src * data: blob: android-webview-video-poster:; style-src * 'unsafe-inline';">
like image 147
n33x Avatar answered Oct 15 '22 02:10

n33x


You can add a poster attribute to your <video> tag. An empty image works. The default android-webview-video-poster looks awful anyway.

like image 30
e741af0d41bc74bf854041f1fbdbf Avatar answered Oct 15 '22 02:10

e741af0d41bc74bf854041f1fbdbf