0

Does anyone know if there's a way around this security policy for Facebook Instant Games? I'm trying to load a video using a local blob that I'm downloading using Fetch().

Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://XYZ (“default-src https://XYZ”)

Using the video's direct URL as the video.src isn't an option for me. Any thoughts?

Dustin Kerstein
  • 450
  • 5
  • 13

1 Answers1

2

I work on the Instant Games team. The preferred approach is to store any assets for your Instant Game in the Instant Game bundle itself.

Having said this we've reviewed this and we think it will open up more flexibility on the platform if we open up the blob protocol in media-src, so this should now work.

Chris Hawkins
  • 764
  • 4
  • 15
  • Chris, I am fetching the game data (quiz questions) from our remote server. This is tailored to the user who is playing. Part of the question data is a remote image url. When I try to load this I wont see anything. It looks like it's blocked. Some advise on how to handle this would be great. Thanks. – fightbulc Oct 01 '18 at 15:27
  • Are you now able to load it via the `blob` protocol? We don't plan on opening `media-src` up to allow carte blanche resources from other domains to avoid tracking pixels, etc. – Chris Hawkins Oct 05 '18 at 10:03
  • 2
    Thanks for getting back. I did it now via `blob` and all works fine. You guys should add that information to the docs took me some time to find this info here. – fightbulc Oct 05 '18 at 14:44
  • @ChrisHawkins Having the same problem loading scripts from cdnjs.cloudflare.com . [Here](https://support.cloudinary.com/hc/en-us/community/posts/360003923851-Can-t-load-images-in-Facebook-Instant-Games-) devs asked Facebook to allowlist their needed resource to be able to load from it. Should I do the same for cloudflare? – Slaus Aug 20 '19 at 15:28