-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Errors when web workers use importScripts() #7
Comments
Thanks for reporting this! I can reproduce this issue. |
I got an answer from koto:
Don't think there's anything we can do (maybe intercept the request and inject Trusted Types?) |
I think that makes sense. On first sight, it seems a little inconsistent though that The injection might be doable if extensions can tell something is requesting a web worker and prepend a default trusted type definition to the response. |
I also ran in same issue in chrome version 86. |
Hey, I stumbled upon a similar issue as #1 (
This document requires 'TrustedScriptURL' assignment.
) for websites that leverage web workers. It seems that Chrome isn't using thedefault
policy as a fallback in case strings are passed toimportScripts()
resulting in errors since the CSP enforces trusted types.The minimal POC to reproduce this is:
index.html
script1.js
script2.js
Here's a live version http://165.227.165.4/web-worker-trusted-types/index.html
I couldn't find much information regarding this behaviour, however, my gut feeling tells me this might be a bug in Chrome, but I'm not too familiar with web workers (and how they work with trusted types). Just thought that I'll mention it here if others run into it (not sure there is anything the extension could do in these cases).
The text was updated successfully, but these errors were encountered: