Content Security Policy fixes #11552
Conversation
…a-src sources. Add data: and mediastream: protocols to media-src.
|
I'm not sure what the Travis CI failure is about. It looks like some sort of unrelated timeout. |
|
I need this in my project as well. The code below is not working right now; |
|
Can you please merge my PR? This bug is costing me money. |
|
We're still looking in to this to ensure there aren't any unforeseen consequences. Relaxing the security could cause problems that we haven't seen before. The developers are looking into it and if they give the thumbs up, we'll go ahead and merge this. I'll have another update for you on Friday. |
|
This patch actually gets CSP behavior closer to what it used to be. Chromium has been tightening down how they parse CSP headers. The CSP line in the Atom source has been the same for years, but only recently did a new enough version of Chromium (in the form of Electron) ship in Atom to cause breakage. See https://bugs.chromium.org/p/chromium/issues/detail?id=473904 for more patchsets related to stricter CSP parsing. |
|
Talked it over with the devs and the security experts. They gave the 👍 |
Content Security Policy fixes
Content Security Policy fixes
Add blob: protocol to img-src and media-src sources. Add data: and mediastream: protocols to media-src.
These changes are needed to fix video chat in the Floobits Atom plugin (issue Floobits/floobits-atom#114). A CSP directive of
default-src: *doesn't cover protocols likeblob:,data:, ormediastream:, which the Floobits package uses.