We are getting the following issue after upgrading to 0.118 in Chrome, macOS: 10.15.3.
VM139:1 Refused to connect to 'blob:...' because it violates the following Content Security Policy directive: "default-src * 'unsafe-inline' ". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
When showing models loaded with the GLTFLoader.js.
This doesn’t happen when running the example locally, only when running it via our local CI.
This isn’t an issue with 0.117.
As far as I can tell, this is the reason for this issue: https://github.com/mrdoob/three.js/pull/19518/files, i.e. three.js uses the ImageBitmapLoader and not the TextureLoader anymore.
Is there a way I can set a different Content Security Policy to use when loading the models?