You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now in the spec workers can only be allowed by specifying a source expression like *, 'self', https:, example.com, etc.
It would be nice if there were literally any other option. This issue claims that strict-dynamic is supposed to work, but the spec doesn't seem to match that. And it's not totally clear how it's supposed to work - is the idea that worker-src 'strict-dynamic' would allow literally any worker to be loaded? I can't see how it would do anything else, but I don't know because it's not specified.
In particular it would be really nice if hashes worked, so that you could use blob URLs. Right now if you want to have a small worker embedded in another script (to save a round trip) the way you do it is with a blob URL, which means you have to allow worker-src blob:, which is basically equivalent to 'unsafe-eval'. That's unavoidable under the current design. If strict-dynamic actually worked it would be an alternative, but potentially an excessively permissive one. Hashes would be much nicer, as would nonces.
See also #375 and its linked issues, which is asking more about dependencies.
The text was updated successfully, but these errors were encountered:
Right now in the spec workers can only be allowed by specifying a source expression like
*,'self',https:,example.com, etc.It would be nice if there were literally any other option. This issue claims that
strict-dynamicis supposed to work, but the spec doesn't seem to match that. And it's not totally clear how it's supposed to work - is the idea thatworker-src 'strict-dynamic'would allow literally any worker to be loaded? I can't see how it would do anything else, but I don't know because it's not specified.In particular it would be really nice if hashes worked, so that you could use blob URLs. Right now if you want to have a small worker embedded in another script (to save a round trip) the way you do it is with a blob URL, which means you have to allow
worker-src blob:, which is basically equivalent to'unsafe-eval'. That's unavoidable under the current design. Ifstrict-dynamicactually worked it would be an alternative, but potentially an excessively permissive one. Hashes would be much nicer, as would nonces.See also #375 and its linked issues, which is asking more about dependencies.
The text was updated successfully, but these errors were encountered: