search

zachomedia / apple-music-webplayer

Web player for Apple Music (using MusicKit JS)
https://music.zacharyseguin.ca
MIT License
597 stars 76 forks source link

Content Security Policy #33

Closed agg23 closed 6 years ago

agg23 commented 6 years ago

On attempting to play anything in Safari 11.1.2 for Mac, it just sits there spinning and logs: Refused to load *url* because it does not appear in the media-src directive of the Content Security Policy.

I believe this is trivially solved by adding a <meta http-equiv="Content-Security-Policy"> to the header of each page, allowing access to Apple's AWS.

zachomedia commented 6 years ago

Hm, sorry about that. I thought I managed to whitelist everything.

Can you give me the exact URL it’s trying to connect to?

I may also just remove the CSP if this gets more complicated.

agg23 commented 6 years ago

I'm not sure what parts of the URL are private, but I assume you only need the domain. The endpoint is https://apple-sg-us-std-000001.s3.amazonaws.com. It's possible (and perhaps likely) that there are different endpoints for iTunes Match and Apple Music, and this may be an iTunes Match item.

zachomedia commented 6 years ago

I had s3 whitelisted for images but not for media. I've added s3 now to the media whitelist - can you try now?

agg23 commented 6 years ago

It is indeed fixed now.

zachomedia commented 6 years ago

Great! Thanks for reporting the issue.