'Re: issue with WebView in 8u202'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openjdk-openjfx-dev
Subject:    Re: issue with WebView in 8u202
From:       Arunprasad Rajkumar <arunprasad.rajkumar () oracle ! com>
Date:       2018-11-20 9:22:34
Message-ID: 6A2F4AA8-1B82-436D-A406-987F29142035 () oracle ! com
[Download RAW message or body]

Quote mismatch is due to mail client's auto formatting. For more clarity I have \
attached the test code as a file. Also the solution which I had suggested is only for \
WebEngine.loadContent.



Thanks,
Arun

> On 20-Nov-2018, at 1:44 PM, Murali Billa <murali.billa@oracle.com> wrote:
> 
> Hi Arun,
> 
> Regarding   <meta http-equiv='Content-Security-Policy' content='img-src *;'/>
> -      In the above html snippet, CSP of img tag is set to load from all except \
> file scheme.  
> I think the above statement is not correct. For me it loads both file and https \
> images with img-src *; (tested in hellowebview and chrome).  I guess  the reason \
> why the 2nd image(https)  is not loaded with above code is there is a mismatch of \
> backquote (') for alt='from file:' Also from spec [1]  img-src *; means  "Images \
> may load from anywhere (note the "*" wildcard)." 
> I think to load from file: scheme, there is no need to specify explicitly in the \
> CSP header (apart from "*" wild card) 
> Please correct me if im wrong.
> 
> Thanks,
> Murali
> 
> -----Original Message-----
> From: Arunprasad Rajkumar 
> Sent: Tuesday, November 20, 2018 12:39 PM
> To: Anton Tarasov <anton.tarasov@jetbrains.com>
> Cc: openjfx-dev@openjdk.java.net
> Subject: Re: issue with WebView in 8u202
> 
> Hi Anton,
> 
> Looks like this is mostly related to Content Security Policy(CSP)[1] which have got \
> strengthened after recent WebKit upgrades. 
> I have reduced the given html further(PSB) & I could reproduce the problem with the \
> following html snippet, 
> <html><head>
> <meta http-equiv='Content-Security-Policy' content='img-src *;'/></head> <body> \
> <img src='file:///Users/ARAJKUMA/Downloads/penguingun-900x900.jpg' alt='from \
> file:'/> <img src='https://betanews.com/wp-content/uploads/2016/04/penguingun-900x900.jpg' \
> alt=‘from http:'/> </body></html> 
> In the above html snippet, CSP of img tag is set to load from all except file \
> scheme. It would load img from http: but not from file. If you also want to load \
> from file: scheme, then you must explicitly set that in the CSP header. Something \
> like below, 
> <html><head>
> <meta http-equiv='Content-Security-Policy' content='img-src file: *;'/></head> \
> <body> <img src='file:///Users/ARAJKUMA/Downloads/penguingun-900x900.jpg' alt='from \
> file:'/> <img src='https://betanews.com/wp-content/uploads/2016/04/penguingun-900x900.jpg' \
> alt=‘from http:'/> </body></html> 
> [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
> 
> Thanks,
> Arun
> 
> > On 20-Nov-2018, at 10:04 AM, Anton Tarasov <anton.tarasov@jetbrains.com> wrote:
> > 
> > Thanks for the catch, Kevin! Seems very likely. Is it the thing configured at \
> > compile-time? 
> > Regards,
> > Anton.
> > 
> > On 11/20/2018 12:51 AM, Kevin Rushforth wrote:
> > > I can reproduce it and it seems related to Cross-Site-Scripting (XSS) \
> > > protections, which you have enabled in your HTML header with: 
> > > <meta http-equiv="Content-Security-Policy" ...>
> > > 
> > > If I remove the 'http-equiv="Content-Security-Policy"' from the meta-data then \
> > > it displays just fine. 
> > > Perhaps Arun or Murali could comment on whether this is a bug or not. It seems \
> > > just as likely to me that it is a feature that didn't used to be enabled and \
> > > now is. 
> > > -- Kevin
> > > 
> > > 
> > > On 11/19/2018 1:44 PM, Anton Tarasov wrote:
> > > > Hi Kevin,
> > > > 
> > > > On 11/20/2018 12:21 AM, Kevin Rushforth wrote:
> > > > > Hi Anton,
> > > > > 
> > > > > We'll take a look and see if we can reproduce it. Am I correct in \
> > > > > understanding that the problem only happens with loadContent, which works \
> > > > > on 8u152 and fails on 8u202-ea? And that load from a file works fine on \
> > > > > both 8u152 and 8u202-ea? 
> > > > Yes, that's right. I've also checked that it's broken in the latest jfx12 as \
> > > > well. I'd appreciate your help in resolving this. 
> > > > Thanks,
> > > > Anton.
> > > > 
> > > > > 
> > > > > -- Kevin
> > > > > 
> > > > > 
> > > > > On 11/19/2018 12:17 PM, Anton Tarasov wrote:
> > > > > > Hello, JFX team!
> > > > > > 
> > > > > > We (at JetBrains) faced an issue with WebView after we've moved to an JFX \
> > > > > > update in JDK8u202. The issue is that WebView stopped loading images \
> > > > > > referenced by an absolute URL under some circumstances. 
> > > > > > Below is a real html content, produced by IDEA markdown viewer. It has \
> > > > > > lots of style pre-loads and a sample image that it should eventually \
> > > > > > display. The html is loaded view WebEngine.loadContent(..) but a \
> > > > > > placeholder text is only displayed - that's the problem that can be \
> > > > > > reproduce with JDK8u202. However it worked with JDK8u152. 
> > > > > > The style references will obviously fail for you, but if you put this \
> > > > > > html into a file and will load it via \
> > > > > > WebEngine.load(file:///path/to/file), the image will be shown with no \
> > > > > > problem (in 8u202 as well). 
> > > > > > <html><head><meta http-equiv="Content-Security-Policy" 
> > > > > > content="default-src 'none'; script-src 
> > > > > > http://localhost:63344/api/markdown-preview/scripts/processLinks.j
> > > > > > s?_ijt=ujioejund46k8cmdcsuggbpnf3 
> > > > > > http://localhost:63344/api/markdown-preview/scripts/scrollToElemen
> > > > > > t.js?_ijt=ujioejund46k8cmdcsuggbpnf3; style-src https: 
> > > > > > http://localhost:63344/api/markdown-preview/styles/default.css?_ij
> > > > > > t=ujioejund46k8cmdcsuggbpnf3 
> > > > > > http://localhost:63344/api/markdown-preview/styles/darcula.css?_ij
> > > > > > t=ujioejund46k8cmdcsuggbpnf3 
> > > > > > http://localhost:63344/api/markdown-preview/styles/inline.css?_ijt
> > > > > > =ujioejund46k8cmdcsuggbpnf3; img-src *; connect-src 'none'; 
> > > > > > font-src *; object-src 'none'; media-src 'none'; child-src 
> > > > > > 'none';"/><link rel="stylesheet" 
> > > > > > href="http://localhost:63344/api/markdown-preview/styles/default.c
> > > > > > ss?_ijt=ujioejund46k8cmdcsuggbpnf3" />
> > > > > > 
> > > > > > <script 
> > > > > > src="http://localhost:63344/api/markdown-preview/scripts/processLi
> > > > > > nks.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script>
> > > > > > <script 
> > > > > > src="http://localhost:63344/api/markdown-preview/scripts/scrollToE
> > > > > > lement.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script></head><body 
> > > > > > md-src-pos="0..89"><p md-src-pos="0..88"><img 
> > > > > > src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg
> > > > > > " alt="Kitten" title="A cute kitten" md-src-pos="0..88" 
> > > > > > /></p></body></html>
> > > > > > 
> > > > > > Then, if you remove all the style loading and leave only the 
> > > > > > image, the image will be shown in either way: load(url) or 
> > > > > > loadContent (in 8u202)
> > > > > > 
> > > > > > <html><head></head><body md-src-pos="0..89"><p 
> > > > > > md-src-pos="0..88"><img 
> > > > > > src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg
> > > > > > " alt="Kitten" title="A cute kitten" md-src-pos="0..88" 
> > > > > > /></p></body></html>
> > > > > > 
> > > > > > Sorry for not submitting the code, I hope you will easily put it into a \
> > > > > > real demo (I played with JFX's WebViewApp). 
> > > > > > So, could you please advice on what went wrong with it?
> > > > > > 
> > > > > > With regards,
> > > > > > Anton.
> > > > > 
> > > > 
> > > 
> > 
> 



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic