A bunch of errors "violates the following Content Security Policy directive: script-src 'none'"

Question

A bunch of errors "violates the following Content Security Policy directive: script-src 'none'"

DATEx2 opened this issue 2 months ago · comments

We are getting a bunch of errors like this

What are we doing wrong?
We are using simple iframes to render vimeo videos and these errors pop up in the console

`
[Report Only] Refused to load the script '' because it violates the following Content Security Policy directive: "script-src 'none'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

888459704:34 [Report Only] Refused to load the script 'https://f.vimeocdn.com/p/4.33.5/js/player.module.js' because it violates the following Content Security Policy directive: "script-src 'none'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

888459704:35 [Report Only] Refused to load the script 'https://f.vimeocdn.com/p/4.33.5/js/vendor.module.js' because it violates the following Content Security Policy directive: "script-src 'none'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

888459704?h=c5387031da:107 [Report Only] Refused to load the script 'https://f.vimeocdn.com/js_opt/modules/utils/vuid.min.js' because it violates the following Content Security Policy directive: "script-src 'none'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

window.loadScript @ 888459704?h=c5387031da:107
window.loadVUID @ 888459704?h=c5387031da:107
(anonymous) @ 888459704?h=c5387031da:118
Promise.then (async)
(anonymous) @ 888459704?h=c5387031da:118
vendor.module.js:2 [Report Only] Refused to load the script 'https://www.gstatic.com/cv/js/sender/v1/cast_sender.js?loadCastFramework=1' because it violates the following Content Security Policy directive: "script-src 'none'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

t.loadLibrary @ vendor.module.js:2
(anonymous) @ vendor.module.js:2
t.setup @ vendor.module.js:2
n.init @ player.module.js:2
(anonymous) @ player.module.js:2
(anonymous) @ player.module.js:2
j @ player.module.js:2
(anonymous) @ player.module.js:2
Promise.then (async)
init @ player.module.js:2
hv @ player.module.js:2
(anonymous) @ 888459704?h=c5387031da:118
Promise.then (async)
(anonymous) @ 888459704?h=c5387031da:118
cast_sender.js?loadCastFramework=1:10 [Report Only] Refused to load the script 'https://www.gstatic.com/cast/sdk/libs/sender/1.0/cast_framework.js' because it violates the following Content Security Policy directive: "script-src 'none'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

E @ cast_sender.js?loadCastFramework=1:10
K @ cast_sender.js?loadCastFramework=1:11
(anonymous) @ cast_sender.js?loadCastFramework=1:11
(anonymous) @ cast_sender.js?loadCastFramework=1:12
cast_sender.js?loadCastFramework=1:10 [Report Only] Refused to load the script 'https://www.gstatic.com/eureka/clank/125/cast_sender.js' because it violates the following Content Security Policy directive: "script-src 'none'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
`

Geoff · Answer 1 · Sat May 18 2024 01:35:15 GMT+0800 (China Standard Time)

When looking into issue #1031 this morning, I encountered a similar error stack when running our app in an emulator.

Eventually, the errors just stopped happening

DATEx2 · Answer 2 · Sat May 18 2024 01:44:58 GMT+0800 (China Standard Time)

This is all we do - a bunch of iframes on the same page like this:

<iframe src="https://player.vimeo.com/video/891246844?h=391d297fb8" frameborder="0" allow="autoplay; fullscreen; picture-in-picture">
</iframe>

Nolan Frausto · Answer 3 · Sat May 18 2024 01:50:51 GMT+0800 (China Standard Time)

+1 We are seeing the same issue

Rowan Krishnan · Answer 4 · Sat May 18 2024 01:51:26 GMT+0800 (China Standard Time)

@DATEx2 If you're still encountering these errors, can you provide steps to reproduce? I'm not able to reproduce using the embed code you shared on desktop Chrome.

gintermaggio-am · Answer 5 · Sat May 18 2024 01:55:13 GMT+0800 (China Standard Time)

@rkrishnan8594 We're seeing this issue specifically when we are injecting HTML into a React Native webview which loads the Vimeo SDK via CDN. Interestingly, we do not see the issue when we load a remote webpage into the webview which itself loads the SDK via our own bundle.

gintermaggio-am · Answer 6 · Sat May 18 2024 02:04:29 GMT+0800 (China Standard Time)

Note that we've also verified:

it was not a code change of ours (checked prior commits)
it does not seem to be related to the version of the vimeo SDK loaded via the CDN (checked prior versions)
it does not seem likely to be a browser related issue as react-native-webview uses different drivers between Android/iOS and we are experiencing the issue on both platforms.

DATEx2 · Answer 7 · Sat May 18 2024 02:14:13 GMT+0800 (China Standard Time)

We are not using REACT -> instead we are just adding the HTML IFRAME element via javascript to the DOM

DATEx2 · Answer 8 · Sat May 18 2024 02:16:40 GMT+0800 (China Standard Time)

You can see it being reporduced here
https://datex2wd.bike/products/herox1?options=1,4,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1

Rowan Krishnan · Answer 9 · Sat May 18 2024 02:43:16 GMT+0800 (China Standard Time)

In order to investigate this, we'll need a standalone example (in an JSFiddle, Codepen, or something similar) in a sandbox environment where this issue is occurring. This issue shouldn't occur if the player is being loaded within an iframe.

Andrew Chung · Answer 10 · Tue Jun 04 2024 01:46:23 GMT+0800 (China Standard Time)

I've put together a jsfiddle that consistently reproduces the error. It occurs in ~1/20 loads which is why there are multiple iframes. It may require a page reload for it to appear