Loading model via GLTFLoader with 0.118 throws error

We are getting the following issue after upgrading to 0.118 in Chrome, macOS: 10.15.3.

VM139:1 Refused to connect to 'blob:...' because it violates the following Content Security Policy directive: "default-src * 'unsafe-inline' ". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

When showing models loaded with the GLTFLoader.js.

This doesn’t happen when running the example locally, only when running it via our local CI.

This isn’t an issue with 0.117.

As far as I can tell, this is the reason for this issue: https://github.com/mrdoob/three.js/pull/19518/files, i.e. three.js uses the ImageBitmapLoader and not the TextureLoader anymore.

Is there a way I can set a different Content Security Policy to use when loading the models?

If you’re able to change the CSP of your webserver, there are settings that would fix this.

If not, I’m surprised it worked before r118… can you load .glb files with embedded textures as well as .gltf files with external texures, in r117? We were using blob textures long before ImageBitmapLoader was added…

A live demo might be helpful, too, if you’re able to share one.

I can modify the CSP, I will try that, thanks.

Yes, we could load .gltf filse in r117, the PR I mentioned change from loading textures using the img element, to use the ImageBitmapLoader, which I suspect we weren’t using previously.