The spec compliant answer is object-src 'self' blob:
blob: should only match blob: explicitly, and not 'self' or *. This is a bug in Chrome, and was recently fixed in Firefox 40.
The spec compliant answer is object-src 'self' blob:
blob: should only match blob: explicitly, and not 'self' or *. This is a bug in Chrome, and was recently fixed in Firefox 40.