Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add option not to use a blob: URL for the worker source #322

Merged
merged 2 commits into from Aug 27, 2019
Merged

Add option not to use a blob: URL for the worker source #322

merged 2 commits into from Aug 27, 2019

Conversation

ClearlyClaire
Copy link
Contributor

No description provided.

@nolanlawson
Copy link

Thanks for this PR; I ran into this issue too due to CSP. :)

One thing I wonder: why default to using a Blob URL at all? If the worker can call importScripts() on a URL, then it should be able to load that URL directly in a worker as well. I also can't think of an environment where one would want CSP to allow blob:, but disallow self (since one is inherently more insecure than the other).

@ClearlyClaire
Copy link
Contributor Author

As far as I understand, having a Blob URL for workers make them inherit from the document's CSP whereas using an URL requires you to set an appropriate CSP when serving the worker JS file.

This might be the reason for the Blob URL, I am not sure.

@jeromewu jeromewu merged commit b6e9d6c into naptha:master Aug 27, 2019
@nolanlawson
Copy link

It's still possible to have CSP that disallows blob: URLs (in fact, this was my setup). I'd argue it's much more common in fact for CSP to allow self but not blob:, hence why I find this default a bit odd. But as long as it can be toggled, great! :)

@ClearlyClaire
Copy link
Contributor Author

ClearlyClaire commented Sep 15, 2019 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants