This is still about playing Twitter content embedded in a web page that is prohibited by CSP rules as you can see if you right-click the player and open Page Info (This Frame > View Page Info). This kind of media content can only be viewed directly on the Twitter website.

The Web Console shows a lot of error about blocked content and I also see a padlock with an exclamation mark that passive content is present but not blocked.

• "3-bar" menu button or Tools -> Web Developer
• https://developer.mozilla.org/en/Tools/Web_Console

"This kind of media content can only be viewed directly on the Twitter website. "

Are you sure about that?

The reason I ask is because that video (and the other ones that failed) all work with Chrome and Internet Explorer.

Color me confused. :-)

Google Chrome may be interpreting CSP rules differently and I'm not sure if IE is even supporting CSP since this is an older browser. Edge, the default browser on Windows 10, seems to be affected as well.

See also:

• /questions/1196774 What is Mozilla doing about Twitter embedded videos violating CSP?

That link you posted was quite helpful...and I agree that Firefox and Edge don't play the video...while Chrome and Internet Explorer do.

Commenter 'BrianCW' suggested disabling CSP in about:config (toggle security.csp.enable to False).

But this did nothing for me -- including closing and restarting Firefox.

I reported this to the website (Mediaite) I found with multiple failing videos (i.e. multiple embedded Twitter videos).

But it's not clear to me as someone unfamiliar with CSP whether they can fix their videos for FF & Edge. Do you know the answer?

Thanks again for your feedback.

sdmike said

"This kind of media content can only be viewed directly on the Twitter website. " Are you sure about that? The reason I ask is because that video (and the other ones that failed) all work with Chrome and Internet Explorer. Color me confused. :-)

The tweet this embeded twitter video is from https://twitter.com/FoxNews/status/945444050072625152 which works.

James said: "The tweet this embeded twitter video is from https://twitter.com/FoxNews/status/945444050072625152 which works."

Yeah, I noticed that earlier today and wrote it off as -- forgive me -- anecdotal information given that the Chrome & Edge browsers display these embedded Twitter videos (residing on websites) okay.

I am waiting to hear back as to whether there is anything the websites can do so these types of videos work with all four browsers.

Or for that matter, can Mozilla make Firefox work like Chrome and Edge when it comes to "CSP rules"?

Cheers.

Michael T. Senior Software Engineer (happily retired)

Actually people have been recently reporting the same issue with the embedded twitter videos on Edge also.

James said

Actually people have been recently reporting the same issue with the embedded twitter videos on Edge also.

My mistake. It's Chrome and IE where the embedded videos display okay. NOT Chrome and Edge.

Fwiw, toggling security.csp.enable works for me on 56 and 57 up to Nightly for both websites reported here and in the other question. Perhaps you need to refresh the page bypassing the cache using Ctrl+F5? You probably also need to accept cookies from Twitter.

Tonnes said

Fwiw, toggling security.csp.enable works for me on 56 and 57 up to Nightly for both websites reported here and in the other question. Perhaps you need to refresh the page bypassing the cache using Ctrl+F5? You probably also need to accept cookies from Twitter.

Some combination of your suggestions allowed me to view the embedded Twitter video at: link text

This included toggling security.csp.enable...which didn't help earlier. Perhaps it was (mostly) deleting the Twitter cookie and then recreating it by logging back on to Twitter. Sure fooled me.

Tonnes said

Fwiw, toggling security.csp.enable works for me on 56 and 57 up to Nightly for both websites reported here and in the other question. Perhaps you need to refresh the page bypassing the cache using Ctrl+F5? You probably also need to accept cookies from Twitter.

That worked for me. I'm not sure what it does, but it works. :)

Dypsis said

Tonnes said

Fwiw, toggling security.csp.enable works for me

That worked for me. I'm not sure what it does, but it works. :)

CSP is a set of rules sites can declare for what content browsers can execute/load in the site's pages. This is one way sites help protect you from accidentally providing sensitive information to scam scripts injected by user-generated content.

Something is wrong with Twitter's CSP rules in its embedded player that stops the player from working right now. It would be better to keep CSP on, but I understand it is inconvenient to click the bird and view the video on Twitter itself.

jscher2000 said

Dypsis said

Tonnes said

Fwiw, toggling security.csp.enable works for me

That worked for me. I'm not sure what it does, but it works. :)

CSP is a set of rules sites can declare for what content browsers can execute/load in the site's pages. This is one way sites help protect you from accidentally providing sensitive information to scam scripts injected by user-generated content.

Something is wrong with Twitter's CSP rules in its embedded player that stops the player from working right now. It would be better to keep CSP on, but I understand it is inconvenient to click the bird and view the video on Twitter itself.

Wonder why this is not an issue with Google Chrome. Are we to make the inference that it does not provide the same level of CSP rules/protection?

Color me confused.

However, this is not to diminish my appreciation for learning that toggling security.csp.enable does seem to allow embedded videos to be viewed from a website.

Okay, I get from reading through the above that toggling security.csp.enable is a possible workaround.

But is it safe to do that, or does that open one to some vulnerability?

Also: Is this something totally up to Twitter, and so timid souls such as myself just need to stay away from any embedded videos that trigger this message? Or what?

More info from those who understand this problem far more than I would be much appreciated.

Hi K2nc2016, can I quote my own earlier reply:

CSP is a set of rules sites can declare for what content browsers can execute/load in the site's pages. This is one way sites help protect you from accidentally providing sensitive information to scam scripts injected by user-generated content.

Something is wrong with Twitter's CSP rules in its embedded player that stops the player from working right now. It would be better to keep CSP on, but I understand it is inconvenient to click the bird and view the video on Twitter itself.

In my opinion, you should keep CSP enabled as much as possible. However, if you find it too inconvenient to launch videos on Twitter instead of viewing them embedded, you can turn it off temporarily while you use sites like that, and avoid using sites involving sensitive data during that time.

Thank you for the information.