查看 Chrome 控制台时 video.min.js 出现 "Refused to create worker from blob" 错误

Getting "Refused to create worker from blob" error in video.min.js when looking at Chrome console

使用 7.4.1,当我加载带有 videojs 的页面时,Chrome devtools 向我显示此错误:

Refused to create a worker from      
'blob:https://dev.culturediscovery.com/51e9879d-fa81-4044-9117-        
7328c0df4dd6' because it violates the following Content Security Policy directive: "default-src * data: 'unsafe-eval' 'unsafe-inline'". Note that 'worker-src' was not explicitly set, so 'default-src' is used as a fallback.
(anonymous) @   video.min.js:1830
(anonymous) @   video.min.js:2
(anonymous) @   video.min.js:2

谁能帮我弄清楚如何处理这个问题?

错误与 Content Security Policy as traceback suggests. So if default-src or worker-src in CSP directive is present, every attempt to spawn worker in browser that supports CSP for workers 必须通过此指令或抛出错误有关。

关于blob worker有一个特别说明:

To specify a content security policy for the worker, set a Content-Security-Policy response header for the request which requested the worker script itself.

The exception to this is if the worker script's origin is a globally unique identifier (for example, if its URL has a scheme of data or blob). In this case, the worker does inherit the content security policy of the document or worker that created it.

source: MDN: CSP in workers

因此创建 blob url 的页面(或 iframe)具有 CSP 指令:

"default-src * data: 'unsafe-eval' 'unsafe-inline'"

现在考虑以下内容:

As defined above, special URL schemes that refer to specific pieces of unique content, such as "data:", "blob:" and "filesystem:" are excluded from matching a policy of * and must be explicitly listed.

source: W3: Security Considerations for GUID URL schemes

这意味着您需要将 blob: 数据模式显式添加到 default-srcworker-src:

"default-src * data: 'unsafe-eval' 'unsafe-inline' blob:"