1

I have a site that loads on homolog.example.com, but load all assets from homolog-assets.example.com. This initial load is okay, but a lib I'm using tries to create a Worker, but when it does, I get the error:

SecurityError: Failed to construct 'Worker' Script at 'https://homolog-assets.example.com/js/script.js' cannot be accessed from origin 'https://homolog.example.com'.

Is there a way to tell the browser that scripts loaded from that domain can create Workers and things like that?

Animaleante
  • 97
  • 1
  • 4
  • 9
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src – Bergi Apr 30 '21 at 01:35
  • 2
    Is it really a ServiceWorker that is being created? This error sounds more like it's about a WebWorker. Also, can you edit this library's code? What gives it the URL? If their path is relative, it should be relative to the current document, so it's a bit weird. If it's hard-coded and you can edit it, then https://stackoverflow.com/a/62914052/3702797 – Kaiido Apr 30 '21 at 02:02
  • @Bergi a CSP error would tell so in the error message. – Kaiido Apr 30 '21 at 02:02
  • 5
    The HTML spec requires fetching of a `new Worker(url)` URL to fail if the URL isn’t same-origin with the document it’s called from. See https://html.spec.whatwg.org/#fetch-a-classic-worker-script, where is says the request mode is `same-origin`. For a request made in `same-origin` mode to a non-same-origin URL, browsers are required to throw. But if you first create a Blob with `importScripts(…)` and that same URL, create a blob URL from that, and call `new Worker(…)` with that blob URL, it’ll work. See https://stackoverflow.com/a/62914052/441757 and https://stackoverflow.com/a/60252783/441757 – sideshowbarker Apr 30 '21 at 02:34
  • 1
    Ah, [you're right](https://medium.com/@krishnachirumamilla/content-security-policy-worker-src-cd06ecfa2fe8) – Bergi Apr 30 '21 at 02:44
  • Sorry, did not know ServiceWorker was different from WebWorker. Never utilized them before. Was trying to find if there was some configuration I could change for this work, given that the code instantiating the Worker was not my own. But will try your suggestion @sideshowbarker, thanks everyone. – Animaleante Apr 30 '21 at 14:42
  • Hey @Animaleante Did you get a solution for this problem ? I'm also facing the same. – ashish_pal Apr 01 '22 at 07:59

0 Answers0