Re: issue with WebView in 8u202

Tue, 20 Nov 2018 00:25:05 -0800 

Hi Arun,

The reason appeared to be quite simple, thank you for the details!

Regards,
Anton.

On 11/20/2018 10:09 AM, Arunprasad Rajkumar wrote:

Hi Anton,
Looks like this is mostly related to Content Security Policy(CSP)[1] which have got strengthened after recent WebKit upgrades.
I have reduced the given html further(PSB) & I could reproduce the problem with the following html snippet, 

<html><head>
<meta http-equiv='Content-Security-Policy' content='img-src *;’/></head>
<body>
<img src='file:///Users/ARAJKUMA/Downloads/penguingun-900x900.jpg' alt='from file:’/> <img src='https://betanews.com/wp-content/uploads/2016/04/penguingun-900x900.jpg' alt=‘from http:’/> 
</body></html>
In the above html snippet, CSP of img tag is set to load from all except file scheme. It would load img from http: but not from file. If you also want to load from file: scheme, then you must explicitly set that in the CSP header. Something like below, 

<html><head>
<meta http-equiv='Content-Security-Policy' content='img-src file: *;’/></head> 
<body>
<img src='file:///Users/ARAJKUMA/Downloads/penguingun-900x900.jpg' alt='from file:’/> <img src='https://betanews.com/wp-content/uploads/2016/04/penguingun-900x900.jpg' alt=‘from http:’/> 
</body></html>

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Thanks,
Arun
On 20-Nov-2018, at 10:04 AM, Anton Tarasov <anton.tara...@jetbrains.com <mailto:anton.tara...@jetbrains.com>> wrote:
Thanks for the catch, Kevin! Seems very likely. Is it the thing configured at compile-time? 

Regards,
Anton.

On 11/20/2018 12:51 AM, Kevin Rushforth wrote:
I can reproduce it and it seems related to Cross-Site-Scripting (XSS) protections, which you have enabled in your HTML header with: 

    <meta http-equiv="Content-Security-Policy" ...>
If I remove the 'http-equiv="Content-Security-Policy"' from the meta-data then it displays just fine.
Perhaps Arun or Murali could comment on whether this is a bug or not. It seems just as likely to me that it is a feature that didn't used to be enabled and now is. 

-- Kevin


On 11/19/2018 1:44 PM, Anton Tarasov wrote:

Hi Kevin,

On 11/20/2018 12:21 AM, Kevin Rushforth wrote:

Hi Anton,
We'll take a look and see if we can reproduce it. Am I correct in understanding that the problem only happens with loadContent, which works on 8u152 and fails on 8u202-ea? And that load from a file works fine on both 8u152 and 8u202-ea?
Yes, that's right. I've also checked that it's broken in the latest jfx12 as well. I'd appreciate your help in resolving this. 

Thanks,
Anton.



-- Kevin


On 11/19/2018 12:17 PM, Anton Tarasov wrote:

Hello, JFX team!
We (at JetBrains) faced an issue with WebView after we've moved to an JFX update in JDK8u202. The issue is that WebView stopped loading images referenced by an absolute URL under some circumstances.
Below is a real html content, produced by IDEA markdown viewer. It has lots of style pre-loads and a sample image that it should eventually display. The html is loaded view WebEngine.loadContent(..) but a placeholder text is only displayed - that's the problem that can be reproduce with JDK8u202. However it worked with JDK8u152.
The style references will obviously fail for you, but if you put this html into a file and will load it via WebEngine.load(file:///path/to/file), the image will be shown with no problem (in 8u202 as well).
<html><head><meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3 http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3; style-src https: http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3 http://localhost:63344/api/markdown-preview/styles/darcula.css?_ijt=ujioejund46k8cmdcsuggbpnf3 http://localhost:63344/api/markdown-preview/styles/inline.css?_ijt=ujioejund46k8cmdcsuggbpnf3; img-src *; connect-src 'none'; font-src *; object-src 'none'; media-src 'none'; child-src 'none';"/><link rel="stylesheet" href="http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3"; />
<script src="http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3";></script> <script src="http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3";></script></head><body md-src-pos="0..89"><p md-src-pos="0..88"><img src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg" alt="Kitten" title="A cute kitten" md-src-pos="0..88" /></p></body></html>
Then, if you remove all the style loading and leave only the image, the image will be shown in either way: load(url) or loadContent (in 8u202)
<html><head></head><body md-src-pos="0..89"><p md-src-pos="0..88"><img src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg" alt="Kitten" title="A cute kitten" md-src-pos="0..88" /></p></body></html>
Sorry for not submitting the code, I hope you will easily put it into a real demo (I played with JFX's WebViewApp). 

So, could you please advice on what went wrong with it?

With regards,
Anton.

Reply via email to