CSP for Worker scripts
Do you know how to apply CSP(Content-Security-Policy) into the scope of a worker script?
The answer is to add a CSP header to response for a worker script.
What is the use-case of applying CSP to a worker script? Is it impossible to access DOM objects from a worker script? So we don’t have to care about XSS in a worker, do we? Yes, you are right, but I have a use-case for that; I’d like to limit network accesses from a worker script.
So I tried to prove whether the approach is valid or not because I think CSP is a valid option for the use-case. The following is a glitch that I’ve created for the test.
https://glitch.com/edit/#!/rift-innate-meerkat
The glitch has an iframe that loads an image and a worker script that fetches a JSON, so I expect that the image and the JSON are blocked.
According to MDN, Chrome and Firefox are supporting the case, but Safari and IE are not. But the actual results were different. Safari is supporting the case, but Chrome seems to have an issue because Chrome has succeeded in loading the JSON. Here is an issue for this.
As a result, I’ve found that the Browser compatibility table doesn’t represent actual behaviors of browsers, so I’ve sent a PR and an issue to mdn/browser-compat-data.
- https://github.com/mdn/browser-compat-data/pull/6031
- https://github.com/mdn/browser-compat-data/issues/6032
I’m not sure what the current status is because I don’t have permission to access the issue. Anyway, I hope that Chrome fixes the issue.
