Discussion:
issue with WebView in 8u202
Anton Tarasov
2018-11-19 20:17:39 UTC
Permalink
Hello, JFX team!

We (at JetBrains) faced an issue with WebView after we've moved to an
JFX update in JDK8u202. The issue is that WebView stopped loading images
referenced by an absolute URL under some circumstances.

Below is a real html content, produced by IDEA markdown viewer. It has
lots of style pre-loads and a sample image that it should eventually
display. The html is loaded view WebEngine.loadContent(..) but a
placeholder text is only displayed - that's the problem that can be
reproduce with JDK8u202. However it worked with JDK8u152.

The style references will obviously fail for you, but if you put this
html into a file and will load it via
WebEngine.load(file:///path/to/file), the image will be shown with no
problem (in 8u202 as well).

<html><head><meta http-equiv="Content-Security-Policy"
content="default-src 'none'; script-src
http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3;
style-src https:
http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/styles/darcula.css?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/styles/inline.css?_ijt=ujioejund46k8cmdcsuggbpnf3;
img-src *; connect-src 'none'; font-src *; object-src 'none'; media-src
'none'; child-src 'none';"/><link rel="stylesheet"
href="http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3"
/>

<script
src="http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script>
<script
src="http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script></head><body
md-src-pos="0..89"><p md-src-pos="0..88"><img
src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg"
alt="Kitten" title="A cute kitten" md-src-pos="0..88" /></p></body></html>

Then, if you remove all the style loading and leave only the image, the
image will be shown in either way: load(url) or loadContent (in 8u202)

<html><head></head><body md-src-pos="0..89"><p md-src-pos="0..88"><img
src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg"
alt="Kitten" title="A cute kitten" md-src-pos="0..88" /></p></body></html>

Sorry for not submitting the code, I hope you will easily put it into a
real demo (I played with JFX's WebViewApp).

So, could you please advice on what went wrong with it?

With regards,
Anton.
Anton Tarasov
2018-11-19 20:20:03 UTC
Permalink
(relates to MS Windows, at least)
Post by Anton Tarasov
Hello, JFX team!
We (at JetBrains) faced an issue with WebView after we've moved to an
JFX update in JDK8u202. The issue is that WebView stopped loading
images referenced by an absolute URL under some circumstances.
Below is a real html content, produced by IDEA markdown viewer. It has
lots of style pre-loads and a sample image that it should eventually
display. The html is loaded view WebEngine.loadContent(..) but a
placeholder text is only displayed - that's the problem that can be
reproduce with JDK8u202. However it worked with JDK8u152.
The style references will obviously fail for you, but if you put this
html into a file and will load it via
WebEngine.load(file:///path/to/file), the image will be shown with no
problem (in 8u202 as well).
<html><head><meta http-equiv="Content-Security-Policy"
content="default-src 'none'; script-src
http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3;
http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/styles/darcula.css?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/styles/inline.css?_ijt=ujioejund46k8cmdcsuggbpnf3;
img-src *; connect-src 'none'; font-src *; object-src 'none';
media-src 'none'; child-src 'none';"/><link rel="stylesheet"
href="http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3"
/>
<script
src="http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script>
<script
src="http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script></head><body
md-src-pos="0..89"><p md-src-pos="0..88"><img
src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg"
alt="Kitten" title="A cute kitten" md-src-pos="0..88"
/></p></body></html>
Then, if you remove all the style loading and leave only the image,
the image will be shown in either way: load(url) or loadContent (in
8u202)
<html><head></head><body md-src-pos="0..89"><p md-src-pos="0..88"><img
src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg"
alt="Kitten" title="A cute kitten" md-src-pos="0..88"
/></p></body></html>
Sorry for not submitting the code, I hope you will easily put it into
a real demo (I played with JFX's WebViewApp).
So, could you please advice on what went wrong with it?
With regards,
Anton.
Kevin Rushforth
2018-11-19 21:21:09 UTC
Permalink
Hi Anton,

We'll take a look and see if we can reproduce it. Am I correct in
understanding that the problem only happens with loadContent, which
works on 8u152 and fails on 8u202-ea? And that load from a file works
fine on both 8u152 and 8u202-ea?

-- Kevin
Post by Anton Tarasov
Hello, JFX team!
We (at JetBrains) faced an issue with WebView after we've moved to an
JFX update in JDK8u202. The issue is that WebView stopped loading
images referenced by an absolute URL under some circumstances.
Below is a real html content, produced by IDEA markdown viewer. It has
lots of style pre-loads and a sample image that it should eventually
display. The html is loaded view WebEngine.loadContent(..) but a
placeholder text is only displayed - that's the problem that can be
reproduce with JDK8u202. However it worked with JDK8u152.
The style references will obviously fail for you, but if you put this
html into a file and will load it via
WebEngine.load(file:///path/to/file), the image will be shown with no
problem (in 8u202 as well).
<html><head><meta http-equiv="Content-Security-Policy"
content="default-src 'none'; script-src
http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3;
http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/styles/darcula.css?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/styles/inline.css?_ijt=ujioejund46k8cmdcsuggbpnf3;
img-src *; connect-src 'none'; font-src *; object-src 'none';
media-src 'none'; child-src 'none';"/><link rel="stylesheet"
href="http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3"
/>
<script
src="http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script>
<script
src="http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script></head><body
md-src-pos="0..89"><p md-src-pos="0..88"><img
src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg"
alt="Kitten" title="A cute kitten" md-src-pos="0..88"
/></p></body></html>
Then, if you remove all the style loading and leave only the image,
the image will be shown in either way: load(url) or loadContent (in
8u202)
<html><head></head><body md-src-pos="0..89"><p md-src-pos="0..88"><img
src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg"
alt="Kitten" title="A cute kitten" md-src-pos="0..88"
/></p></body></html>
Sorry for not submitting the code, I hope you will easily put it into
a real demo (I played with JFX's WebViewApp).
So, could you please advice on what went wrong with it?
With regards,
Anton.
Anton Tarasov
2018-11-19 21:44:01 UTC
Permalink
Hi Kevin,
Post by Kevin Rushforth
Hi Anton,
We'll take a look and see if we can reproduce it. Am I correct in
understanding that the problem only happens with loadContent, which
works on 8u152 and fails on 8u202-ea? And that load from a file works
fine on both 8u152 and 8u202-ea?
Yes, that's right. I've also checked that it's broken in the latest
jfx12 as well. I'd appreciate your help in resolving this.

Thanks,
Anton.
Post by Kevin Rushforth
-- Kevin
Post by Anton Tarasov
Hello, JFX team!
We (at JetBrains) faced an issue with WebView after we've moved to an
JFX update in JDK8u202. The issue is that WebView stopped loading
images referenced by an absolute URL under some circumstances.
Below is a real html content, produced by IDEA markdown viewer. It
has lots of style pre-loads and a sample image that it should
eventually display. The html is loaded view WebEngine.loadContent(..)
but a placeholder text is only displayed - that's the problem that
can be reproduce with JDK8u202. However it worked with JDK8u152.
The style references will obviously fail for you, but if you put this
html into a file and will load it via
WebEngine.load(file:///path/to/file), the image will be shown with no
problem (in 8u202 as well).
<html><head><meta http-equiv="Content-Security-Policy"
content="default-src 'none'; script-src
http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3;
http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/styles/darcula.css?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/styles/inline.css?_ijt=ujioejund46k8cmdcsuggbpnf3;
img-src *; connect-src 'none'; font-src *; object-src 'none';
media-src 'none'; child-src 'none';"/><link rel="stylesheet"
href="http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3"
/>
<script
src="http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script>
<script
src="http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script></head><body
md-src-pos="0..89"><p md-src-pos="0..88"><img
src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg"
alt="Kitten" title="A cute kitten" md-src-pos="0..88"
/></p></body></html>
Then, if you remove all the style loading and leave only the image,
the image will be shown in either way: load(url) or loadContent (in
8u202)
<html><head></head><body md-src-pos="0..89"><p
md-src-pos="0..88"><img
src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg"
alt="Kitten" title="A cute kitten" md-src-pos="0..88"
/></p></body></html>
Sorry for not submitting the code, I hope you will easily put it into
a real demo (I played with JFX's WebViewApp).
So, could you please advice on what went wrong with it?
With regards,
Anton.
Kevin Rushforth
2018-11-19 21:51:02 UTC
Permalink
I can reproduce it and it seems related to Cross-Site-Scripting (XSS)
protections, which you have enabled in your HTML header with:

    <meta http-equiv="Content-Security-Policy" ...>

If I remove the 'http-equiv="Content-Security-Policy"' from the
meta-data then it displays just fine.

Perhaps Arun or Murali could comment on whether this is a bug or not. It
seems just as likely to me that it is a feature that didn't used to be
enabled and now is.

-- Kevin
Post by Anton Tarasov
Hi Kevin,
Post by Kevin Rushforth
Hi Anton,
We'll take a look and see if we can reproduce it. Am I correct in
understanding that the problem only happens with loadContent, which
works on 8u152 and fails on 8u202-ea? And that load from a file works
fine on both 8u152 and 8u202-ea?
Yes, that's right. I've also checked that it's broken in the latest
jfx12 as well. I'd appreciate your help in resolving this.
Thanks,
Anton.
Post by Kevin Rushforth
-- Kevin
Post by Anton Tarasov
Hello, JFX team!
We (at JetBrains) faced an issue with WebView after we've moved to
an JFX update in JDK8u202. The issue is that WebView stopped loading
images referenced by an absolute URL under some circumstances.
Below is a real html content, produced by IDEA markdown viewer. It
has lots of style pre-loads and a sample image that it should
eventually display. The html is loaded view
WebEngine.loadContent(..) but a placeholder text is only displayed -
that's the problem that can be reproduce with JDK8u202. However it
worked with JDK8u152.
The style references will obviously fail for you, but if you put
this html into a file and will load it via
WebEngine.load(file:///path/to/file), the image will be shown with
no problem (in 8u202 as well).
<html><head><meta http-equiv="Content-Security-Policy"
content="default-src 'none'; script-src
http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3;
http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/styles/darcula.css?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/styles/inline.css?_ijt=ujioejund46k8cmdcsuggbpnf3;
img-src *; connect-src 'none'; font-src *; object-src 'none';
media-src 'none'; child-src 'none';"/><link rel="stylesheet"
href="http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3"
/>
<script
src="http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script>
<script
src="http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script></head><body
md-src-pos="0..89"><p md-src-pos="0..88"><img
src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg"
alt="Kitten" title="A cute kitten" md-src-pos="0..88"
/></p></body></html>
Then, if you remove all the style loading and leave only the image,
the image will be shown in either way: load(url) or loadContent (in
8u202)
<html><head></head><body md-src-pos="0..89"><p
md-src-pos="0..88"><img
src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg"
alt="Kitten" title="A cute kitten" md-src-pos="0..88"
/></p></body></html>
Sorry for not submitting the code, I hope you will easily put it
into a real demo (I played with JFX's WebViewApp).
So, could you please advice on what went wrong with it?
With regards,
Anton.
Anton Tarasov
2018-11-20 04:34:50 UTC
Permalink
Thanks for the catch, Kevin! Seems very likely. Is it the thing
configured at compile-time?

Regards,
Anton.
Post by Kevin Rushforth
I can reproduce it and it seems related to Cross-Site-Scripting (XSS)
    <meta http-equiv="Content-Security-Policy" ...>
If I remove the 'http-equiv="Content-Security-Policy"' from the
meta-data then it displays just fine.
Perhaps Arun or Murali could comment on whether this is a bug or not.
It seems just as likely to me that it is a feature that didn't used to
be enabled and now is.
-- Kevin
Post by Anton Tarasov
Hi Kevin,
Post by Kevin Rushforth
Hi Anton,
We'll take a look and see if we can reproduce it. Am I correct in
understanding that the problem only happens with loadContent, which
works on 8u152 and fails on 8u202-ea? And that load from a file
works fine on both 8u152 and 8u202-ea?
Yes, that's right. I've also checked that it's broken in the latest
jfx12 as well. I'd appreciate your help in resolving this.
Thanks,
Anton.
Post by Kevin Rushforth
-- Kevin
Post by Anton Tarasov
Hello, JFX team!
We (at JetBrains) faced an issue with WebView after we've moved to
an JFX update in JDK8u202. The issue is that WebView stopped
loading images referenced by an absolute URL under some circumstances.
Below is a real html content, produced by IDEA markdown viewer. It
has lots of style pre-loads and a sample image that it should
eventually display. The html is loaded view
WebEngine.loadContent(..) but a placeholder text is only displayed
- that's the problem that can be reproduce with JDK8u202. However
it worked with JDK8u152.
The style references will obviously fail for you, but if you put
this html into a file and will load it via
WebEngine.load(file:///path/to/file), the image will be shown with
no problem (in 8u202 as well).
<html><head><meta http-equiv="Content-Security-Policy"
content="default-src 'none'; script-src
http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3;
http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/styles/darcula.css?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/styles/inline.css?_ijt=ujioejund46k8cmdcsuggbpnf3;
img-src *; connect-src 'none'; font-src *; object-src 'none';
media-src 'none'; child-src 'none';"/><link rel="stylesheet"
href="http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3"
/>
<script
src="http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script>
<script
src="http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script></head><body
md-src-pos="0..89"><p md-src-pos="0..88"><img
src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg"
alt="Kitten" title="A cute kitten" md-src-pos="0..88"
/></p></body></html>
Then, if you remove all the style loading and leave only the image,
the image will be shown in either way: load(url) or loadContent (in
8u202)
<html><head></head><body md-src-pos="0..89"><p
md-src-pos="0..88"><img
src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg"
alt="Kitten" title="A cute kitten" md-src-pos="0..88"
/></p></body></html>
Sorry for not submitting the code, I hope you will easily put it
into a real demo (I played with JFX's WebViewApp).
So, could you please advice on what went wrong with it?
With regards,
Anton.
Arunprasad Rajkumar
2018-11-20 07:09:19 UTC
Permalink
Hi Anton,

Looks like this is mostly related to Content Security Policy(CSP)[1] which have got strengthened after recent WebKit upgrades.

I have reduced the given html further(PSB) & I could reproduce the problem with the following html snippet,

<html><head>
<meta http-equiv='Content-Security-Policy' content='img-src *;’/></head>
<body>
<img src='file:///Users/ARAJKUMA/Downloads/penguingun-900x900.jpg' alt='from file:’/>
<img src='Loading Image...' alt=‘from http:’/>
</body></html>

In the above html snippet, CSP of img tag is set to load from all except file scheme. It would load img from http: but not from file. If you also want to load from file: scheme, then you must explicitly set that in the CSP header. Something like below,

<html><head>
<meta http-equiv='Content-Security-Policy' content='img-src file: *;’/></head>
<body>
<img src='file:///Users/ARAJKUMA/Downloads/penguingun-900x900.jpg' alt='from file:’/>
<img src='https://betanews.com/wp-content/uploads/2016/04/penguingun-900x900.jpg' alt=‘from http:’/>
</body></html>

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Thanks,
Arun
Thanks for the catch, Kevin! Seems very likely. Is it the thing configured at compile-time?
Regards,
Anton.
Post by Kevin Rushforth
<meta http-equiv="Content-Security-Policy" ...>
If I remove the 'http-equiv="Content-Security-Policy"' from the meta-data then it displays just fine.
Perhaps Arun or Murali could comment on whether this is a bug or not. It seems just as likely to me that it is a feature that didn't used to be enabled and now is.
-- Kevin
Post by Anton Tarasov
Hi Kevin,
Post by Kevin Rushforth
Hi Anton,
We'll take a look and see if we can reproduce it. Am I correct in understanding that the problem only happens with loadContent, which works on 8u152 and fails on 8u202-ea? And that load from a file works fine on both 8u152 and 8u202-ea?
Yes, that's right. I've also checked that it's broken in the latest jfx12 as well. I'd appreciate your help in resolving this.
Thanks,
Anton.
Post by Kevin Rushforth
-- Kevin
Post by Anton Tarasov
Hello, JFX team!
We (at JetBrains) faced an issue with WebView after we've moved to an JFX update in JDK8u202. The issue is that WebView stopped loading images referenced by an absolute URL under some circumstances.
Below is a real html content, produced by IDEA markdown viewer. It has lots of style pre-loads and a sample image that it should eventually display. The html is loaded view WebEngine.loadContent(..) but a placeholder text is only displayed - that's the problem that can be reproduce with JDK8u202. However it worked with JDK8u152.
The style references will obviously fail for you, but if you put this html into a file and will load it via WebEngine.load(file:///path/to/file), the image will be shown with no problem (in 8u202 as well).
<html><head><meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3 http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3; style-src https: http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3 http://localhost:63344/api/markdown-preview/styles/darcula.css?_ijt=ujioejund46k8cmdcsuggbpnf3 http://localhost:63344/api/markdown-preview/styles/inline.css?_ijt=ujioejund46k8cmdcsuggbpnf3; img-src *; connect-src 'none'; font-src *; object-src 'none'; media-src 'none'; child-src 'none';"/><link rel="stylesheet" href="http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3" />
<script src="http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script>
<script src="http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script></head><body md-src-pos="0..89"><p md-src-pos="0..88"><img src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg" alt="Kitten" title="A cute kitten" md-src-pos="0..88" /></p></body></html>
Then, if you remove all the style loading and leave only the image, the image will be shown in either way: load(url) or loadContent (in 8u202)
<html><head></head><body md-src-pos="0..89"><p md-src-pos="0..88"><img src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg" alt="Kitten" title="A cute kitten" md-src-pos="0..88" /></p></body></html>
Sorry for not submitting the code, I hope you will easily put it into a real demo (I played with JFX's WebViewApp).
So, could you please advice on what went wrong with it?
With regards,
Anton.
Murali Billa
2018-11-20 08:14:41 UTC
Permalink
Hi Arun,

Regarding <meta http-equiv='Content-Security-Policy' content='img-src *;’/>
- In the above html snippet, CSP of img tag is set to load from all except file scheme.

I think the above statement is not correct. For me it loads both file and https images with img-src *; (tested in hellowebview and chrome). I guess the reason why the 2nd image(https) is not loaded with above code is there is a mismatch of backquote (’) for alt='from file:’
Also from spec [1] img-src *; means "Images may load from anywhere (note the "*" wildcard)."

I think to load from file: scheme, there is no need to specify explicitly in the CSP header (apart from "*" wild card)

Please correct me if im wrong.

Thanks,
Murali

-----Original Message-----
From: Arunprasad Rajkumar
Sent: Tuesday, November 20, 2018 12:39 PM
To: Anton Tarasov <***@jetbrains.com>
Cc: openjfx-***@openjdk.java.net
Subject: Re: issue with WebView in 8u202

Hi Anton,

Looks like this is mostly related to Content Security Policy(CSP)[1] which have got strengthened after recent WebKit upgrades.

I have reduced the given html further(PSB) & I could reproduce the problem with the following html snippet,

<html><head>
<meta http-equiv='Content-Security-Policy' content='img-src *;’/></head> <body> <img src='file:///Users/ARAJKUMA/Downloads/penguingun-900x900.jpg' alt='from file:’/> <img src='https://betanews.com/wp-content/uploads/2016/04/penguingun-900x900.jpg' alt=‘from http:’/> </body></html>

In the above html snippet, CSP of img tag is set to load from all except file scheme. It would load img from http: but not from file. If you also want to load from file: scheme, then you must explicitly set that in the CSP header. Something like below,

<html><head>
<meta http-equiv='Content-Security-Policy' content='img-src file: *;’/></head> <body> <img src='file:///Users/ARAJKUMA/Downloads/penguingun-900x900.jpg' alt='from file:’/> <img src='https://betanews.com/wp-content/uploads/2016/04/penguingun-900x900.jpg' alt=‘from http:’/> </body></html>

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Thanks,
Arun
Thanks for the catch, Kevin! Seems very likely. Is it the thing configured at compile-time?
Regards,
Anton.
Post by Kevin Rushforth
<meta http-equiv="Content-Security-Policy" ...>
If I remove the 'http-equiv="Content-Security-Policy"' from the meta-data then it displays just fine.
Perhaps Arun or Murali could comment on whether this is a bug or not. It seems just as likely to me that it is a feature that didn't used to be enabled and now is.
-- Kevin
Post by Anton Tarasov
Hi Kevin,
Post by Kevin Rushforth
Hi Anton,
We'll take a look and see if we can reproduce it. Am I correct in understanding that the problem only happens with loadContent, which works on 8u152 and fails on 8u202-ea? And that load from a file works fine on both 8u152 and 8u202-ea?
Yes, that's right. I've also checked that it's broken in the latest jfx12 as well. I'd appreciate your help in resolving this.
Thanks,
Anton.
Post by Kevin Rushforth
-- Kevin
Post by Anton Tarasov
Hello, JFX team!
We (at JetBrains) faced an issue with WebView after we've moved to an JFX update in JDK8u202. The issue is that WebView stopped loading images referenced by an absolute URL under some circumstances.
Below is a real html content, produced by IDEA markdown viewer. It has lots of style pre-loads and a sample image that it should eventually display. The html is loaded view WebEngine.loadContent(..) but a placeholder text is only displayed - that's the problem that can be reproduce with JDK8u202. However it worked with JDK8u152.
The style references will obviously fail for you, but if you put this html into a file and will load it via WebEngine.load(file:///path/to/file), the image will be shown with no problem (in 8u202 as well).
<html><head><meta http-equiv="Content-Security-Policy"
content="default-src 'none'; script-src
http://localhost:63344/api/markdown-preview/scripts/processLinks.j
s?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/scripts/scrollToElemen
http://localhost:63344/api/markdown-preview/styles/default.css?_ij
t=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/styles/darcula.css?_ij
t=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/styles/inline.css?_ijt
=ujioejund46k8cmdcsuggbpnf3; img-src *; connect-src 'none';
font-src *; object-src 'none'; media-src 'none'; child-src
'none';"/><link rel="stylesheet"
href="http://localhost:63344/api/markdown-preview/styles/default.c
ss?_ijt=ujioejund46k8cmdcsuggbpnf3" />
<script
src="http://localhost:63344/api/markdown-preview/scripts/processLi
nks.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script>
<script
src="http://localhost:63344/api/markdown-preview/scripts/scrollToE
lement.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script></head><body
md-src-pos="0..89"><p md-src-pos="0..88"><img
src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg
" alt="Kitten" title="A cute kitten" md-src-pos="0..88"
/></p></body></html>
Then, if you remove all the style loading and leave only the
image, the image will be shown in either way: load(url) or
loadContent (in 8u202)
<html><head></head><body md-src-pos="0..89"><p
md-src-pos="0..88"><img
src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg
" alt="Kitten" title="A cute kitten" md-src-pos="0..88"
/></p></body></html>
Sorry for not submitting the code, I hope you will easily put it into a real demo (I played with JFX's WebViewApp).
So, could you please advice on what went wrong with it?
With regards,
Anton.
Arunprasad Rajkumar
2018-11-20 09:10:34 UTC
Permalink
Quote mismatch is due to mail client’s auto formatting. For more clarity I have attached the test code as a file. Also the solution which I had suggested is only for WebEngine.loadContent.
Anton Tarasov
2018-11-20 08:23:16 UTC
Permalink
Hi Arun,

The reason appeared to be quite simple, thank you for the details!

Regards,
Anton.
Post by Kevin Rushforth
Hi Anton,
Looks like this is mostly related to Content Security Policy(CSP)[1]
which have got strengthened after recent WebKit upgrades.
I have reduced the given html further(PSB) & I could reproduce the
problem with the following html snippet,
<html><head>
<meta http-equiv='Content-Security-Policy' content='img-src *;’/></head>
<body>
<img src='file:///Users/ARAJKUMA/Downloads/penguingun-900x900.jpg' alt='from file:’/>
<img
src='https://betanews.com/wp-content/uploads/2016/04/penguingun-900x900.jpg'
alt=‘from http:’/>
</body></html>
In the above html snippet, CSP of img tag is set to load from all
except file scheme. It would load img from http: but not from file. If
you also want to load from file: scheme, then you must explicitly set
that in the CSP header. Something like below,
<html><head>
<meta http-equiv='Content-Security-Policy' content='img-src file: *;’/></head>
<body>
<img src='file:///Users/ARAJKUMA/Downloads/penguingun-900x900.jpg' alt='from file:’/>
<img
src='https://betanews.com/wp-content/uploads/2016/04/penguingun-900x900.jpg'
alt=‘from http:’/>
</body></html>
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Thanks,
Arun
On 20-Nov-2018, at 10:04 AM, Anton Tarasov
Thanks for the catch, Kevin! Seems very likely. Is it the thing
configured at compile-time?
Regards,
Anton.
Post by Kevin Rushforth
I can reproduce it and it seems related to Cross-Site-Scripting
    <meta http-equiv="Content-Security-Policy" ...>
If I remove the 'http-equiv="Content-Security-Policy"' from the
meta-data then it displays just fine.
Perhaps Arun or Murali could comment on whether this is a bug or
not. It seems just as likely to me that it is a feature that didn't
used to be enabled and now is.
-- Kevin
Post by Anton Tarasov
Hi Kevin,
Post by Kevin Rushforth
Hi Anton,
We'll take a look and see if we can reproduce it. Am I correct in
understanding that the problem only happens with loadContent,
which works on 8u152 and fails on 8u202-ea? And that load from a
file works fine on both 8u152 and 8u202-ea?
Yes, that's right. I've also checked that it's broken in the latest
jfx12 as well. I'd appreciate your help in resolving this.
Thanks,
Anton.
Post by Kevin Rushforth
-- Kevin
Post by Anton Tarasov
Hello, JFX team!
We (at JetBrains) faced an issue with WebView after we've moved
to an JFX update in JDK8u202. The issue is that WebView stopped
loading images referenced by an absolute URL under some
circumstances.
Below is a real html content, produced by IDEA markdown viewer.
It has lots of style pre-loads and a sample image that it should
eventually display. The html is loaded view
WebEngine.loadContent(..) but a placeholder text is only
displayed - that's the problem that can be reproduce with
JDK8u202. However it worked with JDK8u152.
The style references will obviously fail for you, but if you put
this html into a file and will load it via
WebEngine.load(file:///path/to/file), the image will be shown
with no problem (in 8u202 as well).
<html><head><meta http-equiv="Content-Security-Policy"
content="default-src 'none'; script-src
http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3;
http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/styles/darcula.css?_ijt=ujioejund46k8cmdcsuggbpnf3
http://localhost:63344/api/markdown-preview/styles/inline.css?_ijt=ujioejund46k8cmdcsuggbpnf3;
img-src *; connect-src 'none'; font-src *; object-src 'none';
media-src 'none'; child-src 'none';"/><link rel="stylesheet"
href="http://localhost:63344/api/markdown-preview/styles/default.css?_ijt=ujioejund46k8cmdcsuggbpnf3"
/>
<script
src="http://localhost:63344/api/markdown-preview/scripts/processLinks.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script>
<script
src="http://localhost:63344/api/markdown-preview/scripts/scrollToElement.js?_ijt=ujioejund46k8cmdcsuggbpnf3"></script></head><body
md-src-pos="0..89"><p md-src-pos="0..88"><img
src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg"
alt="Kitten" title="A cute kitten" md-src-pos="0..88"
/></p></body></html>
Then, if you remove all the style loading and leave only the
image, the image will be shown in either way: load(url) or
loadContent (in 8u202)
<html><head></head><body md-src-pos="0..89"><p
md-src-pos="0..88"><img
src="file:///C:/Users/tav/IdeaProjects/DummyProject/src/kitten.jpg"
alt="Kitten" title="A cute kitten" md-src-pos="0..88"
/></p></body></html>
Sorry for not submitting the code, I hope you will easily put it
into a real demo (I played with JFX's WebViewApp).
So, could you please advice on what went wrong with it?
With regards,
Anton.
Loading...