Content Security Policies (CSP) and Custom UI issue

Hey! Does anyone know what I am doing wrong?
I’m trying to implement ffmpeg in my Custom UI application and I can’t fix this console error:

Refused to load the script 'blob:https://92f5e87e-5f2a-4c8c-951e-08a1ba2f14c5.cdn.prod.atlassian-dev.net/5aa86812-58e0-4748-8894-8750a3153d6d' because it violates the following Content Security Policy directive: "script-src 'self' https://forge.cdn.prod.atlassian-dev.net 'unsafe-hashes' 'unsafe-eval' 'unsafe-inline' 'sha256-bOtzk1dUloN05g/LIFdqemUqePLDBuIpdj71nJ6aExc=' https://unpkg.com/@ffmpeg/core@0.10.0/dist/ffmpeg-core.js https://forge.cdn.prod.atlassian-dev.net". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

I try everything in my manifest.yml:

permissions:
  external:
    scripts:
      - 'https://unpkg.com/@ffmpeg/core@0.10.0/dist/ffmpeg-core.js'
      - 'https://forge.cdn.prod.atlassian-dev.net'
    fetch:
      backend:
        - '*.cdn.prod.atlassian-dev.net'
        - '*.cdn.prod.atlassian-dev.net/ac109162-2b01-4'
        - '*.unpkg.com'
        - 'unpkg.com'
        - '*.unpkg.com/@ffmpeg/core@0.10.0/dist/ffmp'
        - 'https://unpkg.com/@ffmpeg/core@0.10.0/dist/ffmpeg-core.js'
        - 'https://forge.cdn.prod.atlassian-dev.net'
      client:
        - '*.cdn.prod.atlassian-dev.net'
        - '*.cdn.prod.atlassian-dev.net/ac109162-2b01-4'
        - '*.unpkg.com'
        - 'unpkg.com'
        - '*.unpkg.com/@ffmpeg/core@0.10.0/dist/ffmp'
        - 'https://unpkg.com/@ffmpeg/core@0.10.0/dist/ffmpeg-core.js'
        - 'https://forge.cdn.prod.atlassian-dev.net'
  content:
    scripts:
      - 'unsafe-hashes'
      - 'unsafe-eval'
      - 'unsafe-inline'
  scopes:
    - 'write:jira-work'
    - 'read:jira-work'
    - 'read:jira-user'
    - 'manage:jira-project'
    - 'manage:jira-configuration'
2 Likes

I would be grateful for any hint:)

@ukaszWiniewski I’m not a CSP expert. However, it looks to me that this “blob” is not defined in your manifest external.fetch.client section. Try adding it there according to the comments from Stackoverflow.

Hi @ukaszWiniewski

Your app manifest is properly configured.

Unfortunately we do not yet support the blob: scheme in our script-src CSP policies. We do support it for image-src and media-src only.

We would have to make a change on our side to in order to have this CSP violation disappear.

Hope this clarifies things.