Content-Security-Policy object-src blob

Question

When using a content-security-policy and I try to follow a process in Chrome 41 (beta) using window.URL.createObjectURL I get an error like the following:

Answer 1

For Chrome 47.0.2526.73:

default-src * blob:;

worked for me

Answer 2

The spec compliant answer is object-src 'self' blob:

blob: should only match blob: explicitly, and not 'self' or *. This is a bug in Chrome, and was recently fixed in Firefox 40.