search

MobileChromeApps / mobile-chrome-apps

Chrome apps on Android and iOS
BSD 3-Clause "New" or "Revised" License
2.5k stars 347 forks source link

window.URL.createObjectURL doesn't work with gopher:// changes #589

Closed StephenFluin closed 9 years ago

StephenFluin commented 9 years ago

I load user images from the web via XHR. This used to work when I would do this:

    var xhr = new XMLHttpRequest();
    xhr.open('GET', imageUrl, true);
    xhr.responseType = 'blob';
    xhr.onload = function(e) {
      var img = document.getElementById('profileImage');
      img.src = window.URL.createObjectURL(this.response);

    };

    xhr.send();

Now with the new gopher URLs in 0.7.3, I get the following error on Android:

I/chromium( 5960): [INFO:CONSOLE(0)] "Refused to load the image 'blob:file%3A///35b71821-e3d9-43cd-a560-6c29d499c012' because it violates the following Content Security Policy directive: "default-src file: data: chrome-extension: gopher: https://ssl.gstatic.com". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
agrieve commented 9 years ago

Looks like the problem was unrelated to the 0.7.3 changes, but rather from the latest Android WebView update changing Content-Security-Policy to block blob: urls (CSPv1 didn't have them blocked, but CSPv2 adds them to the block list).

I've published an update to add them to the CSP whitelist (v0.7.4)