issue with WebView in 8u202

Tue Nov 20 08:23:16 UTC 2018

Hi Arun,

The reason appeared to be quite simple, thank you for the details!

Regards,
Anton.

On 11/20/2018 10:09 AM, Arunprasad Rajkumar wrote:
> Hi Anton,
>
> Looks like this is mostly related to Content Security Policy(CSP)[1] 
> which have got strengthened after recent WebKit upgrades.
>
> I have reduced the given html further(PSB) & I could reproduce the 
> problem with the following html snippet,
>
> <html><head>
> <meta http-equiv='Content-Security-Policy' content='img-src *;’/></head>
> <body>
> <img src='file:///Users/ARAJKUMA/Downloads/penguingun-900x900.jpg' 
> alt='from file:’/>
> <img 
> src='https://betanews.com/wp-content/uploads/2016/04/penguingun-900x900.jpg' 
> alt=‘from http:’/>
> </body></html>
>
> In the above html snippet, CSP of img tag is set to load from all 
> except file scheme. It would load img from http: but not from file. If 
> you also want to load from file: scheme, then you must explicitly set 
> that in the CSP header. Something like below,
>
> <html><head>
> <meta http-equiv='Content-Security-Policy' content='img-src file: 
> *;’/></head>
> <body>
> <img src='file:///Users/ARAJKUMA/Downloads/penguingun-900x900.jpg' 
> alt='from file:’/>
> <img 
> src='https://betanews.com/wp-content/uploads/2016/04/penguingun-900x900.jpg' 
> alt=‘from http:’/>
> </body></html>
>
> [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
>
> Thanks,
> Arun
>
>> On 20-Nov-2018, at 10:04 AM, Anton Tarasov 
>> <anton.tarasov at jetbrains.com <mailto:anton.tarasov at jetbrains.com>> wrote:
>>
>> Thanks for the catch, Kevin! Seems very likely. Is it the thing 
>> configured at compile-time?
>>
>> Regards,
>> Anton.
>>
>> On 11/20/2018 12:51 AM, Kevin Rushforth wrote:
>>> I can reproduce it and it seems related to Cross-Site-Scripting 
>>> (XSS) protections, which you have enabled in your HTML header with:
>>>
>>>     <meta http-equiv="Content-Security-Policy" ...>
>>>
>>> If I remove the 'http-equiv="Content-Security-Policy"' from the 
>>> meta-data then it displays just fine.
>>>
>>> Perhaps Arun or Murali could comment on whether this is a bug or 
>>> not. It seems just as likely to me that it is a feature that didn't 
>>> used to be enabled and now is.
>>>
>>> -- Kevin
>>>
>>>
>>> On 11/19/2018 1:44 PM, Anton Tarasov wrote:
>>>> Hi Kevin,
>>>>
>>>> On 11/20/2018 12:21 AM, Kevin Rushforth wrote:
>>>>> Hi Anton,
>>>>>
>>>>> We'll take a look and see if we can reproduce it. Am I correct in 
>>>>> understanding that the problem only happens with loadContent, 
>>>>> which works on 8u152 and fails on 8u202-ea? And that load from a 
>>>>> file works fine on both 8u152 and 8u202-ea?
>>>>>
>>>> Yes, that's right. I've also checked that it's broken in the latest 
>>>> jfx12 as well. I'd appreciate your help in resolving this.
>>>>
>>>> Thanks,
>>>> Anton.
>>>>
>>>>>
>>>>> -- Kevin
>>>>>
>>>>>
>>>>> On 11/19/2018 12:17 PM, Anton Tarasov wrote:
>>>>>> Hello, JFX team!
>>>>>>
>>>>>> We (at JetBrains) faced an issue with WebView after we've moved 
>>>>>> to an JFX update in JDK8u202. The issue is that WebView stopped 
>>>>>> loading images referenced by an absolute URL under some 
>>>>>> circumstances.
>>>>>>
>>>>>> Below is a real html content, produced by IDEA markdown viewer. 
>>>>>> It has lots of style pre-loads and a sample image that it should 
>>>>>> eventually display. The html is loaded view 
>>>>>> WebEngine.loadContent(..) but a placeholder text is only 
>>>>>> displayed - that's the problem that can be reproduce with 
>>>>>> JDK8u202. However it worked with JDK8u152.
>>>>>>
>>>>>> The style references will obviously fail for you, but if you put 
>>>>>> this html into a file and will load it via 
>>>>>> WebEngine.load(file:///path/to/file), the image will be shown 
>>>>>> with no problem (in 8u202 as well).
>>>>>>
>>>>>> <html><head><meta http-equiv="Content-Security-Policy" 
>>>>>> content="default-src 'none'; script-src 
>>>>>> http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3 
>>>>>> http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3; 
>>>>>> style-src https: 
>>>>>> http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3 
>>>>>> http://localhost:63344/api/markdown-preview/styles/darcula.css?_ijt=ujioejund46k8cmdcsuggbpnf3 
>>>>>> http://localhost:63344/api/markdown-preview/styles/inline.css?_ijt=ujioejund46k8cmdcsuggbpnf3; 
>>>>>> img-src *; connect-src 'none'; font-src *; object-src 'none'; 
>>>>>> media-src 'none'; child-src 'none';"/><link rel="stylesheet" 
>>>>>> href="http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3" 
>>>>>> />
>>>>>>
>>>>>> <script 
>>>>>> src="http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script>
>>>>>> <script 
>>>>>> src="http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script></head><body 
>>>>>> md-src-pos="0..89"><p md-src-pos="0..88"><img 
>>>>>> src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg" 
>>>>>> alt="Kitten" title="A cute kitten" md-src-pos="0..88" 
>>>>>> /></p></body></html>
>>>>>>
>>>>>> Then, if you remove all the style loading and leave only the 
>>>>>> image, the image will be shown in either way: load(url) or 
>>>>>> loadContent (in 8u202)
>>>>>>
>>>>>> <html><head></head><body md-src-pos="0..89"><p 
>>>>>> md-src-pos="0..88"><img 
>>>>>> src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg" 
>>>>>> alt="Kitten" title="A cute kitten" md-src-pos="0..88" 
>>>>>> /></p></body></html>
>>>>>>
>>>>>> Sorry for not submitting the code, I hope you will easily put it 
>>>>>> into a real demo (I played with JFX's WebViewApp).
>>>>>>
>>>>>> So, could you please advice on what went wrong with it?
>>>>>>
>>>>>> With regards,
>>>>>> Anton.
>>>>>
>>>>
>>>
>>
>