Quote mismatch is due to mail client’s auto formatting. For more clarity I have attached the test code as a file. Also the solution which I had suggested is only for WebEngine.loadContent.
Thanks, Arun > On 20-Nov-2018, at 1:44 PM, Murali Billa <murali.bi...@oracle.com> wrote: > > Hi Arun, > > Regarding <meta http-equiv='Content-Security-Policy' content='img-src *;’/> > - In the above html snippet, CSP of img tag is set to load > from all except file scheme. > > I think the above statement is not correct. For me it loads both file and > https images with img-src *; (tested in hellowebview and chrome). I guess > the reason why the 2nd image(https) is not loaded with above code is there > is a mismatch of backquote (’) for alt='from file:’ > Also from spec [1] img-src *; means "Images may load from anywhere (note > the "*" wildcard)." > > I think to load from file: scheme, there is no need to specify explicitly in > the CSP header (apart from "*" wild card) > > Please correct me if im wrong. > > Thanks, > Murali > > -----Original Message----- > From: Arunprasad Rajkumar > Sent: Tuesday, November 20, 2018 12:39 PM > To: Anton Tarasov <anton.tara...@jetbrains.com> > Cc: openjfx-dev@openjdk.java.net > Subject: Re: issue with WebView in 8u202 > > Hi Anton, > > Looks like this is mostly related to Content Security Policy(CSP)[1] which > have got strengthened after recent WebKit upgrades. > > I have reduced the given html further(PSB) & I could reproduce the problem > with the following html snippet, > > <html><head> > <meta http-equiv='Content-Security-Policy' content='img-src *;’/></head> > <body> <img src='file:///Users/ARAJKUMA/Downloads/penguingun-900x900.jpg' > alt='from file:’/> <img > src='https://betanews.com/wp-content/uploads/2016/04/penguingun-900x900.jpg' > alt=‘from http:’/> </body></html> > > In the above html snippet, CSP of img tag is set to load from all except file > scheme. It would load img from http: but not from file. If you also want to > load from file: scheme, then you must explicitly set that in the CSP header. > Something like below, > > <html><head> > <meta http-equiv='Content-Security-Policy' content='img-src file: > *;’/></head> <body> <img > src='file:///Users/ARAJKUMA/Downloads/penguingun-900x900.jpg' alt='from > file:’/> <img > src='https://betanews.com/wp-content/uploads/2016/04/penguingun-900x900.jpg' > alt=‘from http:’/> </body></html> > > [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP > > Thanks, > Arun > >> On 20-Nov-2018, at 10:04 AM, Anton Tarasov <anton.tara...@jetbrains.com> >> wrote: >> >> Thanks for the catch, Kevin! Seems very likely. Is it the thing configured >> at compile-time? >> >> Regards, >> Anton. >> >> On 11/20/2018 12:51 AM, Kevin Rushforth wrote: >>> I can reproduce it and it seems related to Cross-Site-Scripting (XSS) >>> protections, which you have enabled in your HTML header with: >>> >>> <meta http-equiv="Content-Security-Policy" ...> >>> >>> If I remove the 'http-equiv="Content-Security-Policy"' from the meta-data >>> then it displays just fine. >>> >>> Perhaps Arun or Murali could comment on whether this is a bug or not. It >>> seems just as likely to me that it is a feature that didn't used to be >>> enabled and now is. >>> >>> -- Kevin >>> >>> >>> On 11/19/2018 1:44 PM, Anton Tarasov wrote: >>>> Hi Kevin, >>>> >>>> On 11/20/2018 12:21 AM, Kevin Rushforth wrote: >>>>> Hi Anton, >>>>> >>>>> We'll take a look and see if we can reproduce it. Am I correct in >>>>> understanding that the problem only happens with loadContent, which works >>>>> on 8u152 and fails on 8u202-ea? And that load from a file works fine on >>>>> both 8u152 and 8u202-ea? >>>>> >>>> Yes, that's right. I've also checked that it's broken in the latest jfx12 >>>> as well. I'd appreciate your help in resolving this. >>>> >>>> Thanks, >>>> Anton. >>>> >>>>> >>>>> -- Kevin >>>>> >>>>> >>>>> On 11/19/2018 12:17 PM, Anton Tarasov wrote: >>>>>> Hello, JFX team! >>>>>> >>>>>> We (at JetBrains) faced an issue with WebView after we've moved to an >>>>>> JFX update in JDK8u202. The issue is that WebView stopped loading images >>>>>> referenced by an absolute URL under some circumstances. >>>>>> >>>>>> Below is a real html content, produced by IDEA markdown viewer. It has >>>>>> lots of style pre-loads and a sample image that it should eventually >>>>>> display. The html is loaded view WebEngine.loadContent(..) but a >>>>>> placeholder text is only displayed - that's the problem that can be >>>>>> reproduce with JDK8u202. However it worked with JDK8u152. >>>>>> >>>>>> The style references will obviously fail for you, but if you put this >>>>>> html into a file and will load it via >>>>>> WebEngine.load(file:///path/to/file), the image will be shown with no >>>>>> problem (in 8u202 as well). >>>>>> >>>>>> <html><head><meta http-equiv="Content-Security-Policy" >>>>>> content="default-src 'none'; script-src >>>>>> http://localhost:63344/api/markdown-preview/scripts/processLinks.j >>>>>> s?_ijt=ujioejund46k8cmdcsuggbpnf3 >>>>>> http://localhost:63344/api/markdown-preview/scripts/scrollToElemen >>>>>> t.js?_ijt=ujioejund46k8cmdcsuggbpnf3; style-src https: >>>>>> http://localhost:63344/api/markdown-preview/styles/default.css?_ij >>>>>> t=ujioejund46k8cmdcsuggbpnf3 >>>>>> http://localhost:63344/api/markdown-preview/styles/darcula.css?_ij >>>>>> t=ujioejund46k8cmdcsuggbpnf3 >>>>>> http://localhost:63344/api/markdown-preview/styles/inline.css?_ijt >>>>>> =ujioejund46k8cmdcsuggbpnf3; img-src *; connect-src 'none'; >>>>>> font-src *; object-src 'none'; media-src 'none'; child-src >>>>>> 'none';"/><link rel="stylesheet" >>>>>> href="http://localhost:63344/api/markdown-preview/styles/default.c >>>>>> ss?_ijt=ujioejund46k8cmdcsuggbpnf3" /> >>>>>> >>>>>> <script >>>>>> src="http://localhost:63344/api/markdown-preview/scripts/processLi >>>>>> nks.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script> >>>>>> <script >>>>>> src="http://localhost:63344/api/markdown-preview/scripts/scrollToE >>>>>> lement.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script></head><body >>>>>> md-src-pos="0..89"><p md-src-pos="0..88"><img >>>>>> src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg >>>>>> " alt="Kitten" title="A cute kitten" md-src-pos="0..88" >>>>>> /></p></body></html> >>>>>> >>>>>> Then, if you remove all the style loading and leave only the >>>>>> image, the image will be shown in either way: load(url) or >>>>>> loadContent (in 8u202) >>>>>> >>>>>> <html><head></head><body md-src-pos="0..89"><p >>>>>> md-src-pos="0..88"><img >>>>>> src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg >>>>>> " alt="Kitten" title="A cute kitten" md-src-pos="0..88" >>>>>> /></p></body></html> >>>>>> >>>>>> Sorry for not submitting the code, I hope you will easily put it into a >>>>>> real demo (I played with JFX's WebViewApp). >>>>>> >>>>>> So, could you please advice on what went wrong with it? >>>>>> >>>>>> With regards, >>>>>> Anton. >>>>> >>>> >>> >> >
