258602 – poster attribute for video element has stricter Mixed Content policies

Bug 258602 - poster attribute for video element has stricter Mixed Content policies

Summary: poster attribute for video element has stricter Mixed Content policies

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Media (show other bugs)
Version:	Safari 16
Hardware:	Mac (Apple Silicon) macOS 13

Importance:	P2 Normal
Assignee:	Nobody

URL:	https://codepen.io/benjaminhoegh/pen/...
Keywords:	BrowserCompat, InRadar

Depends on:
Blocks:	140625
	Show dependency tree / graph

Reported:	2023-06-27 21:45 PDT by Benjamin
Modified:	2023-07-06 05:58 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
rendering in safari, firefox, chrome (1.10 MB, image/png) 2023-06-29 00:02 PDT, Karl Dubost	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Benjamin 2023-06-27 21:45:37 PDT

If you add a poster attribute to the video element it dosen't load the poster, but works fine in other browsers

<video poster="http://camendesign.com/code/video_for_everybody/poster.jpg">
  <source src="https://www.w3schools.com/html/mov_bbb.mp4" type="video/mp4">
  <p>Your browser does not support the video tag.</p>
</video>

Comment 1 Alexey Proskuryakov 2023-06-28 19:52:59 PDT

I cannot reproduce this with Safari 17 beta. There is something weird going on with the poster size, as it momentarily shows up having the same size as in Chrome, and then becomes smaller.

Comment 2 Karl Dubost 2023-06-29 00:02:10 PDT

Created attachment 466857 [details]
rendering in safari, firefox, chrome

With 

```
data:text/html,<video poster="http://camendesign.com/code/video_for_everybody/poster.jpg"><source src="https://www.w3schools.com/html/mov_bbb.mp4" type="video/mp4"><p>Your browser does not support the video tag.</p></video>
```

Safari Technology Preview  173           19616.1.20.2
Firefox Nightly            116.0a1       11623.6.28
Google Chrome Canary       117.0.5859.0  5859.0


The behavior is totally different.

Comment 3 Karl Dubost 2023-06-29 00:13:41 PDT

with the data: URL the console says:


Refused to load http://camendesign.com/code/video_for_everybody/poster.jpg because it does not appear in the img-src directive of the Content Security Policy.


which is interesting because 
data:text/html,<img src="http://camendesign.com/code/video_for_everybody/poster.jpg">

will work. 

https://searchfox.org/wubkat/rev/0a80aee13182b2feee32d8519e716edf3e876e18/Source/WebCore/html/HTMLVideoElement.cpp#249-262

Comment 4 Karl Dubost 2023-06-29 00:17:58 PDT

Ha this is working.


data:text/html,<video poster="https://camendesign.com/code/video_for_everybody/poster.jpg"><source src="https://www.w3schools.com/html/mov_bbb.mp4" type="video/mp4"><p>Your browser does not support the video tag.</p></video>


aka https for the poster URL instead of http.

So the bug is different. It's more about Content Security Policy for the poster attribute.

Comment 5 Alexey Proskuryakov 2023-06-29 08:45:06 PDT

To be clear, I was testing with a local file, containing the code from bug description.

Comment 6 Benjamin 2023-06-29 10:43:40 PDT

I have updated the URL to a codepen illustrating the issue

https://codepen.io/benjaminhoegh/pen/NWEjPXE

Comment 7 Radar WebKit Bug Importer 2023-07-04 21:46:17 PDT

<rdar://problem/111765501>

Comment 8 Karl Dubost 2023-07-05 16:03:56 PDT

after discussions with Anne, it's more about mixed content.

Comment 9 Anne van Kesteren 2023-07-05 16:11:32 PDT

In particular we should be upgrading this request, similar to <img src>.