CSP policy error when lazy-loading


I want to use the video.min.js library in widget, when loading it from OH static directory I get this error:

Refused to create a worker from 'blob:http://<OH>/f675bf28-a6df-4b59-b032-23e6e02326c6' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-5hvlzGKhlKhafFjW6G/cRVpM/e+JewYxe/pLpQ5Kj9M='". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

This is how I load it into a widget:

<div oc-lazy-load="{serie: true, files: ['/static/VXG.WebPlayer.SDK/vxgwebsdk/video.min.js', '/static/VXG.WebPlayer.SDK/vxgwebsdk/webrtc-adapter-latest.js', '/static/VXG.WebPlayer.SDK/vxgwebsdk/CloudSDK.min.js', '/static/VXG.WebPlayer.SDK/vxgwebsdk/CloudSDK.min.js', '/static/vxg-camera.js'] }">
	<div id="player1"></div>

Am I loading it correctly? Does this mean there’s something wrong with video.min.js regarding the HabPanel CSP policy?

Does this help ?

Well @Wolfgang_S, it explains why we are getting this error and what needs to be changed. However, the CSP policy is set top level in the element of HabPanel and can only be adjusted if the openhab team is willing to change it for this purpose. I can’t change it at the widget level.

It means that you need explicitly add blob: data schema to default-src or worker-src.

So this:

<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-5hvlzGKhlKhafFjW6G/cRVpM/e+JewYxe/pLpQ5Kj9M='; style-src 'self' 'unsafe-inline';">

Needs to change to this:

<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-5hvlzGKhlKhafFjW6G/cRVpM/e+JewYxe/pLpQ5Kj9M='; style-src 'self' 'unsafe-inline' blob:;">

that is what I was afraid of.

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.