GLB Model loading properly because of the Content Security Policy

Good Day,

We have created an experience for a client. The Client is deploying the experience in a Nginx webserver. They have CSP setup for their existing projects, I want to know what will be the CSP needed for threejs to work properly.

Right now the GLB model is loading without any textures and they are getting errors thats related to some blob and CSP.

Thank you,

You need to add blob: source in you CSP header or the browser will refuse the request.

I am fairly new to this whole CSP thing, I googled about adding blob to CSP, I found I have to add this,

object-src ‘self’ blob:

Is this the correct one?

Then you need to do more research in order not to compromise security of the page.

I do not use 3JS importers, if I were a betting man:

<meta http-equiv="Content-Security-Policy" content="worker-src blob:; default-src  blob: data:; img-src 'self' blob: data:;connect-src 'self' blob: data:">


Thanks will try this.
Hopefully it works.