logo
IntroductionHow to add CSS or JavaScript files to an Android/iOS projectHow to combat autoplay policiesPlayback issue with Internet Explorer 11Why does fullscreen not behave as expected on iOSWhy does the network API not work on iOS devicesWhy doesn't Chromecast work when embedded in an iframe on iOSWhy can't I select another video quality on iOSIs YouTube supportedWhy does the player load only one audio track (even though there are several in the manifest)Is it possible to see 360 degrees photo with THEOplayerWhy the visibility API does not work through an iframe on Safari and IE11What is an impressionHow to do error handlingHow to know whether a live stream is playingWhich error related events does the player exposeWhy did my subtitles stop workingHow does Media Engagement Index (MEI) affect Autoplay on ChromeWhat does the error message 'Unknown CDM error' meanWhat does the error message 'Something went wrong with Native playback' meanWhy are not all response headers exposedWhy does the currentTime seem off in my livestream & what can I do about itHow to remove CORS restrictions from a reproduction streamWhich network calls (or requests) does THEOplayer doWhy does the playback not work when using the Chrome iPhone/iPad simulatorWhat does the error message 'can only be initiated by a user gesture' imply? Can I still force the desired actionHow to remove unwanted CC track in iOS or SafariKnown Chromecast Limitations in 2.61.1What are the Product Flavor options in the Android SDK (minApi16 and minApi21)Why do I get a grey play button in my Android WebView and how to remove it?I'm unable to inspect Webview with the Android SDKMediaTek limitationsHow to fix Android DRM in Chrome 74How to use ProGuard with THEOplayer Android SDKSelf-hosting and versioning of THEOplayerDoes THEOplayer support EXT-X-DATERANGECan clipping be used on a playlistCan timeline thumbnails be made available before playback startWhat are the benefits of preloadingWhat are are the player seeking and seeked events and when are they firedCan we use HLS adsHow to change text in THEOplayerChange text when AirplayingITP2.1 problems using THEOplayerRemoving context menu/'Powered by THEOplayer v2...'What aspects of THEOplayer do we need to take into account to deploy a proper Content Security Policy (CSP)How can we avoid that the player keeps looking for chunks/segments if they are not foundCan we show a custom message on 403 on mp4Can we prevent UpNext feature from redirectingIs it possible to preload VOD content while the pre-roll is playingWhy is my video not playing automaticallyIs it possible to have multiple player instances play at the same timeIs it a problem if the viewer pauses a live stream for longer than the DVR windowTHEOplaeyer Features/ModulesChromecast on my webplayer does not work any longer despite no change in my implementationHow to track network errors

What aspects of THEOplayer do we need to take into account to deploy a proper Content Security Policy (CSP)

The script-src 'self' and 'inline' should be allowed. The player also requires to do calls to *.theoplayer.com and to wherever the javascript files and workers are located. Additionally, depending on your active features, you may need to add some other source (e.g.: if you are using Chromecast, you will need to allow https://www.gstatic.com/, as its library is hosted there).

Designed to be fully compatible with browser versions that don’t support it, Content Security Policy (CSP) is an additional layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. Configuring Content Security Policy involves adding the Content-Security-Policy HTTP header to a web page and giving it values to control resources the user agent is allowed to load for that page. (source: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)

When configuring CSP on your pages including THEOplayer, you will need to allow:

  • *.theoplayer.com, as the license needs to contact this domain
  • the domain(s) where your Javascript and worker files are hosted
  • script-src: 'self' and 'inline'
  • any domains hosting the libraries related to the features of THEOplayer that you are using. For example, google-IMA, Chromecast, FreeWheel, Youbora, Conviva, etc.

Note: In old 2.X versions the script-src 'unsafe-eval' also needed adding. As of 2.48.0 this is no longer needed.

Resources

The following resources provide more information:

github
Make sure to follow us on GitHub!
THEO-logo-white
twitter
facebook
linkedin
Copyright © 2020. All Rights Reserved.
Leuven
New York
San Francisco
Singapore
Barcelona