Component: Untriaged → DOM: Security
Product: Firefox → Core
The spec says you need to explicitly add blob: to your whitelist. In our opinion Chrome has a bug, but even so it doesn't hurt to add blob: to the string for them too. See https://w3c.github.io/webappsec/specs/content-security-policy/#match-source-expression section 4.2.2 step 2
(In reply to Daniel Veditz [:dveditz] from comment #1) > The spec says you need to explicitly add blob: to your whitelist. In our > opinion Chrome has a bug, but even so it doesn't hurt to add blob: to the > string for them too. > > See > https://w3c.github.io/webappsec/specs/content-security-policy/#match-source- > expression section 4.2.2 step 2 Thanks Dan; that is absolutely right, blob: has to be explicitly whitelisted in the CSP. Marking this bug as invalid.
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.