search

nimiq / qr-scanner

Lightweight Javascript QR Code Scanner
https://nimiq.github.io/qr-scanner/demo
MIT License
2.35k stars 509 forks source link

SecurityError on safari #230

Open julianjelfs opened 1 year ago

julianjelfs commented 1 year ago

When I try to scan with safari (either on iOS 16.4 or macOS 13.3) I get a decoding error: securityerror: The operation is insecure.

This error seems to be coming from the worker but I'm not able to figure out what's going on in any more detail.

I have a hunch it is something to do with how the my project is being built since this problem does not occur on the demo page.

I am using rollup and can see that it has automatically created a qr-scanner-worker.min-123456.js (where 123456 is some build number) and copied it to my build directory successfully.

Any help would be appreciated.

gorner commented 1 year ago

Hi, came across this issue while researching this item. I was able to figure out that, in addition to the site being served over HTTPS, the site's Content Security Policy has to be set up with a worker-src directive that includes blob:, e.g. worker-src 'self' blob:;. This appears to be due to more restrictive default browser settings for Safari on iOS. Hope this helps you or anyone else experiencing this issue.

Edit: Subsequently I discovered that this is discouraged by the W3C in the CSP2 spec:

allowing "blob:" or "filesystem:" URLs is equivalent to unsafe-eval.

There isn't a similar statement in the draft CSP3, but another approach may be preferable if you can find it.

jampy commented 9 months ago

probably related to / duplicate of #221