You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If I set up my "Content-Security-Policy" (CSP) header as follows (using Apache .htaccess format) then MediaElementJS works fine.
Header always set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'"
If I remove the 'unsafe-inline' from the end of the above line, then the play/pause button and the volume button on the player disappear as shown in the following image. This indicates that some stylesheets used by MediaElementJS has inline <script> elements, javascript: URLs, inline event handlers, or inline <style> elements.
It would be better security if MediaElementJS worked with the more strict CSP setting where you do not specify 'unsafe-inline' and it should be possible to rework the code to support this.
If I set up my "Content-Security-Policy" (CSP) header as follows (using Apache .htaccess format) then MediaElementJS works fine.
Header always set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'"
If I remove the 'unsafe-inline' from the end of the above line, then the play/pause button and the volume button on the player disappear as shown in the following image. This indicates that some stylesheets used by MediaElementJS has inline <script> elements, javascript: URLs, inline event handlers, or inline <style> elements.
It would be better security if MediaElementJS worked with the more strict CSP setting where you do not specify 'unsafe-inline' and it should be possible to rework the code to support this.
Here is some information about CSP for reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
The text was updated successfully, but these errors were encountered: