CSP errors from video.min.js
BasvanH opened this issue · comments
Hello,
We are integrating the SDK into HabPanel. This is an widget based web ui so you can build dashboards from OpenHab devices. We want to display the camera's with this SDK in a widget.
The CSP policy of HabPanel is:
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-5hvlzGKhlKhafFjW6G/cRVpM/e+JewYxe/pLpQ5Kj9M='; style-src 'self' 'unsafe-inline';">
When lazy-loading the SDK we get an error on video.min.js
Refused to create a worker from 'blob:http://<webserver>/f675bf28-a6df-4b59-b032-23e6e02326c6' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-5hvlzGKhlKhafFjW6G/cRVpM/e+JewYxe/pLpQ5Kj9M='". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.
We cannot change the CSP policy as it is fixed coded in the HabPanel framework. The author of video.min.js is aware of weak CSP compliance, but it doesn't look like it's top priority. Since this SDK includes video.min.js, what can VXG do regarding this issue?
Regards,
Bastiaan