Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

How to make HTML5 <video> compatible with CSP (Google Chrome)? #75

BigBenJr opened this issue Jan 10, 2019 · 9 comments

How to make HTML5 <video> compatible with CSP (Google Chrome)? #75

BigBenJr opened this issue Jan 10, 2019 · 9 comments


Copy link

BigBenJr commented Jan 10, 2019

Hello there,

I use HTML5 video element on my website and a strict Content-Security-Policy directive (default-src 'self'). I get this error message in Google Chrome console when I load for the first time a page with video element:

[Report Only] Refused to load the image '' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

[Report Only] Refused to load the image '' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

There is a total of 9 data:image violating CSP directive. These data:image are used for the controls of video element. If they are blocked it is impossible to use the video element.

I am aware of the possibility to use "img-src 'self' data:;" directive, but I would like to avoid this solution as it reduce the protection I could get from strict CSP directives.

I notice that HTML5 video element does not violate CSP directive when I use Edge or Firefox.

Is it possible to fix this issue ? Thank you.

Copy link


yes, this seems to be a Chrome issue, I was able to reproduce it here:

and data: in img-src fixes the problem. This is a browser bug.

@nico3333fr nico3333fr self-assigned this Jan 11, 2019
Copy link

Bug reported here: ;)

Copy link

This is not a bug : data: should be precised, as it can inject JS, CSS , or as there, an SVG image which may include JS content, font (to target, unanonymise people,...) etc

Copy link

@dascritch it is a problem: this is the image that Chrome displays to load the video. As it is a browser-related, it should not trigger any CSP violation. (or you have to trigger data: for displaying videos on Chrome... that makes no sense ^^)

Copy link

Thanks for the report nico.
I guess the only solution is to use data: in img-src until bug is solved.

Copy link

Same bug happens on Safari:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15

{"csp-report":{"document-uri":"https://xxx","referrer":"","violated-directive":"default-src 'self'","effective-directive":"img-src","original-policy":"default-src 'self'; report-uri https://xxx","blocked-uri":"data","status-code":0}}

Copy link

Do you have ghostery activated? It seems the problems comes from here.

Copy link

I don't have Ghostery.
I don't get message error on your website, but I still get one on my website even with all extensions swtich off. What are your CSP directives ?
Could you make a test on my website ?

Copy link

This is strange: I've the same bug with Ghostery enabled on your website (a CSP violation on img-src because data: is not enabled in default-src), if I disable Ghostery, no CSP violation on your website.

# for free to join this conversation on GitHub. Already have an account? # to comment
None yet
None yet

No branches or pull requests

3 participants