What is Mozilla doing about Twitter embedded videos violating CSP?
Twitter embedded video do not work on Firefox or Microsoft Edge because the embedded player violates the Content Security Policy (CSP). Twitter embedded videos do work on Google Chrome.
1. Are Mozilla actively pursuing the Twitter to remedy this issue for non-Chrome browsers? 2. Does Google Chrome implement CSP differently to Firefox and Edge?
Wšě wotmołwy (6)
Can you give a link to an example of where the problem occurs?
I'm not aware of a way to ignore CSP on a site-by-site basis, but an extension might be able remove those headers so that Firefox can't obey them. (Adding CSP headers is one way extensions control the kinds of content loaded into the page.)
jscher2000 said
Can you give a link to an example of where the problem occurs? I'm not aware of a way to ignore CSP on a site-by-site basis, but an extension might be able remove those headers so that Firefox can't obey them. (Adding CSP headers is one way extensions control the kinds of content loaded into the page.)
For me it happens on any site where there is a embedded twitter video.
This page for example
https://www.theringer.com/nfl/2017/9/7/16270156/the-ringer-fantasy-football-draft-oral-history
It has an embedded Twitter video half way down. On pressing play it gives a black screen with text "the media cannot be played" and reports a CSP error
||twitter.com/i/csp_report? -- csp_report https://twitter.com/i/csp_report?a=NVQWGYLXFVYGYYLZMFRGYZJNNVSWI2LB&ro=false
If I disable CSP in about:config (toggle security.csp.enable to False) the video will play.
I have seen this happen on several websites using Firefox. It doesn't happen on Chrome. IDK if Firefox is doing something wrong, if Twitter is doing something wrong or Chrome is doing something wrong.
I'm up to date on the Beta channel
Firefox 58.0b12 (64-bit)
I confirmed the problem with the player on https://www.theringer.com/nfl/2017/9/7/16270156/the-ringer-fantasy-football-draft-oral-history
My download manager did find a 'stream' that I downloaded. A 2-minute clip. No issues playing the downloaded file.
Some threads about Twitter:
- /questions/1196752 Why do I get a message "The media could not be played" at some websites?
- /questions/1195465 For the last few days, embedded twitter videos won't load -- show "The media could not be played." error -- but they load just fine on twitter.com
- /questions/1196190 "Media Could Not Be Played" on Tweetdeck
- /questions/1188176 Twitter says "The media could not be played"
Hmm, if you open the Web Console in the lower part of the tab (Ctrl+Shift+k), then right-click the black video-fail rectangle, click This Frame, click Show Only This Frame: you get a new page on https://twitter.com/ that gives the same CSP errors. So it seems to be something internal to the embedded player page that is incompatible with Firefox.