Hi Arun,
Regarding <meta http-equiv='Content-Security-Policy' content='img-src *;’/>
- In the above html snippet, CSP of img tag is set to load
from all except file scheme.
I think the above statement is not correct. For me it loads both file and https
images with img-src *; (tested in hellowebview and chrome). I guess the
reason why the 2nd image(https) is not loaded with above code is there is a
mismatch of backquote (’) for alt='from file:’
Also from spec [1] img-src *; means "Images may load from anywhere (note the
"*" wildcard)."
I think to load from file: scheme, there is no need to specify explicitly in
the CSP header (apart from "*" wild card)
Please correct me if im wrong.
Thanks,
Murali
-----Original Message-----
From: Arunprasad Rajkumar
Sent: Tuesday, November 20, 2018 12:39 PM
To: Anton Tarasov <[email protected]>
Cc: [email protected]
Subject: Re: issue with WebView in 8u202
Hi Anton,
Looks like this is mostly related to Content Security Policy(CSP)[1] which have
got strengthened after recent WebKit upgrades.
I have reduced the given html further(PSB) & I could reproduce the problem with
the following html snippet,
<html><head>
<meta http-equiv='Content-Security-Policy' content='img-src *;’/></head> <body>
<img src='file:///Users/ARAJKUMA/Downloads/penguingun-900x900.jpg' alt='from
file:’/> <img
src='https://betanews.com/wp-content/uploads/2016/04/penguingun-900x900.jpg'
alt=‘from http:’/> </body></html>
In the above html snippet, CSP of img tag is set to load from all except file
scheme. It would load img from http: but not from file. If you also want to
load from file: scheme, then you must explicitly set that in the CSP header.
Something like below,
<html><head>
<meta http-equiv='Content-Security-Policy' content='img-src file: *;’/></head>
<body> <img src='file:///Users/ARAJKUMA/Downloads/penguingun-900x900.jpg'
alt='from file:’/> <img
src='https://betanews.com/wp-content/uploads/2016/04/penguingun-900x900.jpg'
alt=‘from http:’/> </body></html>
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Thanks,
Arun
> On 20-Nov-2018, at 10:04 AM, Anton Tarasov <[email protected]>
> wrote:
>
> Thanks for the catch, Kevin! Seems very likely. Is it the thing configured at
> compile-time?
>
> Regards,
> Anton.
>
> On 11/20/2018 12:51 AM, Kevin Rushforth wrote:
>> I can reproduce it and it seems related to Cross-Site-Scripting (XSS)
>> protections, which you have enabled in your HTML header with:
>>
>> <meta http-equiv="Content-Security-Policy" ...>
>>
>> If I remove the 'http-equiv="Content-Security-Policy"' from the meta-data
>> then it displays just fine.
>>
>> Perhaps Arun or Murali could comment on whether this is a bug or not. It
>> seems just as likely to me that it is a feature that didn't used to be
>> enabled and now is.
>>
>> -- Kevin
>>
>>
>> On 11/19/2018 1:44 PM, Anton Tarasov wrote:
>>> Hi Kevin,
>>>
>>> On 11/20/2018 12:21 AM, Kevin Rushforth wrote:
>>>> Hi Anton,
>>>>
>>>> We'll take a look and see if we can reproduce it. Am I correct in
>>>> understanding that the problem only happens with loadContent, which works
>>>> on 8u152 and fails on 8u202-ea? And that load from a file works fine on
>>>> both 8u152 and 8u202-ea?
>>>>
>>> Yes, that's right. I've also checked that it's broken in the latest jfx12
>>> as well. I'd appreciate your help in resolving this.
>>>
>>> Thanks,
>>> Anton.
>>>
>>>>
>>>> -- Kevin
>>>>
>>>>
>>>> On 11/19/2018 12:17 PM, Anton Tarasov wrote:
>>>>> Hello, JFX team!
>>>>>
>>>>> We (at JetBrains) faced an issue with WebView after we've moved to an JFX
>>>>> update in JDK8u202. The issue is that WebView stopped loading images
>>>>> referenced by an absolute URL under some circumstances.
>>>>>
>>>>> Below is a real html content, produced by IDEA markdown viewer. It has
>>>>> lots of style pre-loads and a sample image that it should eventually
>>>>> display. The html is loaded view WebEngine.loadContent(..) but a
>>>>> placeholder text is only displayed - that's the problem that can be
>>>>> reproduce with JDK8u202. However it worked with JDK8u152.
>>>>>
>>>>> The style references will obviously fail for you, but if you put this
>>>>> html into a file and will load it via
>>>>> WebEngine.load(file:///path/to/file), the image will be shown with no
>>>>> problem (in 8u202 as well).
>>>>>
>>>>> <html><head><meta http-equiv="Content-Security-Policy"
>>>>> content="default-src 'none'; script-src
>>>>> http://localhost:63344/api/markdown-preview/scripts/processLinks.j
>>>>> s?_ijt=ujioejund46k8cmdcsuggbpnf3
>>>>> http://localhost:63344/api/markdown-preview/scripts/scrollToElemen
>>>>> t.js?_ijt=ujioejund46k8cmdcsuggbpnf3; style-src https:
>>>>> http://localhost:63344/api/markdown-preview/styles/default.css?_ij
>>>>> t=ujioejund46k8cmdcsuggbpnf3
>>>>> http://localhost:63344/api/markdown-preview/styles/darcula.css?_ij
>>>>> t=ujioejund46k8cmdcsuggbpnf3
>>>>> http://localhost:63344/api/markdown-preview/styles/inline.css?_ijt
>>>>> =ujioejund46k8cmdcsuggbpnf3; img-src *; connect-src 'none';
>>>>> font-src *; object-src 'none'; media-src 'none'; child-src
>>>>> 'none';"/><link rel="stylesheet"
>>>>> href="http://localhost:63344/api/markdown-preview/styles/default.c
>>>>> ss?_ijt=ujioejund46k8cmdcsuggbpnf3" />
>>>>>
>>>>> <script
>>>>> src="http://localhost:63344/api/markdown-preview/scripts/processLi
>>>>> nks.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script>
>>>>> <script
>>>>> src="http://localhost:63344/api/markdown-preview/scripts/scrollToE
>>>>> lement.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script></head><body
>>>>> md-src-pos="0..89"><p md-src-pos="0..88"><img
>>>>> src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg
>>>>> " alt="Kitten" title="A cute kitten" md-src-pos="0..88"
>>>>> /></p></body></html>
>>>>>
>>>>> Then, if you remove all the style loading and leave only the
>>>>> image, the image will be shown in either way: load(url) or
>>>>> loadContent (in 8u202)
>>>>>
>>>>> <html><head></head><body md-src-pos="0..89"><p
>>>>> md-src-pos="0..88"><img
>>>>> src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg
>>>>> " alt="Kitten" title="A cute kitten" md-src-pos="0..88"
>>>>> /></p></body></html>
>>>>>
>>>>> Sorry for not submitting the code, I hope you will easily put it into a
>>>>> real demo (I played with JFX's WebViewApp).
>>>>>
>>>>> So, could you please advice on what went wrong with it?
>>>>>
>>>>> With regards,
>>>>> Anton.
>>>>
>>>
>>
>
