1

I'm using Uploadcare to upload images and files in my application and am also using the browser-policy package for content security. I noticed recently that the camera upload feature was not working and couldn't figure out how to allow it.

Refused to load media from 'blob:http%3A//localhost%3A3000/e44633a7-227f-40e2-a3bd-9efd211f677d' because it violates the following Content Security Policy directive: "default-src 'self' (My Allowed Origins ...) ". Note that 'media-src' was not explicitly set, so 'default-src' is used as a fallback.

It seems the only way I've been able to get this to work is by using: BrowserPolicy.content.allowOriginForAll('blob:');

Is there a better way? It looks like I'm getting an 'unsafe-eval' blob: warning using the current method. Things I've tried already:
BrowserPolicy.content.allowDataUrlForAll(); BrowserPolicy.content.allowBlobDataUrl(); Not valid BrowserPolicy.content.allowOriginForAll('blob:http://localhost3000*'); BrowserPolicy.content.allowOriginForAll('http://localhost3000*');

Bradley
  • 2,379
  • 1
  • 11
  • 17

1 Answers1

6

We use this policy in our package:

BrowserPolicy.content.allowImageOrigin("blob:"); var constructedCsp = BrowserPolicy.content._constructCsp(); BrowserPolicy.content.setPolicy(constructedCsp +" media-src blob:;");

If you just want to plug and play it's here: https://github.com/smalljoys/meteor-uploadcare

sgoudie
  • 300
  • 3
  • 9