Worker() constructor - update for TT #42073
Conversation
github-actions
bot
added
Content:WebAPI
|
Preview URLs External URLs (3)URL:
(comment last updated: 2025-11-24 06:39:17) |
| > See [Security considerations](#security_considerations) for more information. | ||
| > [!NOTE] | ||
| > There is a disagreement among browser manufacturers about whether a data URL is of the same origin or not. Though Firefox 10 and later accept data URLs, that's not the case in all other browsers. |
There was a problem hiding this comment.
FYI, I have removed this because it is no longer true. This is covered below in section "data: and blob: URLs" - that is my interpretation of the spec after some discussion with a few very confused AIs.
| > There is a disagreement among browser manufacturers about whether a data URL is of the same origin or not. Though Firefox 10 and later accept data URLs, that's not the case in all other browsers. | ||
| The **`Worker()`** constructor creates a {{domxref("Worker")}} object that executes the script at the specified URL. | ||
|
|
||
| This script must obey the [same-origin policy](/en-US/docs/Web/Security/Same-origin_policy). |
There was a problem hiding this comment.
This is very confusing, because it implies that the worker must be same-origin with its owner. Perhaps that was once true. Or more likely this means more generally that you can only load same-origin docs by default but you are restricted by CORS rules for cross origin resources.
I infer this because the options you can pass only make sense if you can pass cross origin urls.
@wbamberg Do you think this is reasonable?
| > This way, the path is relative to the current script instead of the current HTML page, which allows the bundler to safely do optimizations like renaming (because otherwise the `worker.js` URL may point to a file not controlled by the bundler, so it cannot make any assumptions). | ||
| - : A {{domxref("TrustedScriptURL")}} object or a string representing the URL of the script the worker will execute. | ||
| It must obey the same-origin policy. |
There was a problem hiding this comment.
Again with the same-origin thing. Depending on answer above I think I will remove this and have a section on the URL policy below. If it was only same origin TT wouldn't make much sense IMO. Though I guess you could still use it to block URLs with URL parameters from the same site.
| - : Thrown if `url` cannot be parsed. | ||
| - `TypeError` | ||
| - : Thrown if the `url` parameter is set with a string when [Trusted Types](/en-US/docs/Web/API/Trusted_Types_API) are [enforced by a CSP](/en-US/docs/Web/API/Trusted_Types_API#using_a_csp_to_enforce_trusted_types) and no default policy is defined. | ||
| <!-- This is also thrown if the fetched URL cannot be successfully parsed as its indicated type. --> |
There was a problem hiding this comment.
This was true in other case I copied the error from. Note sure yet if true here.
| If you're using this property and [enforcing trusted types](/en-US/docs/Web/API/Trusted_Types_API#using_a_csp_to_enforce_trusted_types) (using the [`require-trusted-types-for`](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/require-trusted-types-for) CSP directive), you will need to always assign {{domxref("TrustedScriptURL")}} objects instead of strings. | ||
| This ensures that the input is passed through a transformation function, which has the chance to reject or modify the URL before it is injected. | ||
| <!-- Need to check COORs/COEP rules.--> |
There was a problem hiding this comment.
So as above I think this is subject to CORS, which means that a non-same-origin URL is blocked by default. I see this as lower risk, though I guess a site might host "evil" files by accident (i.e. if it were a wiki) and then these could be loaded in the same-site context.
But more generally a cross-origin resource would have to allow "evil js" explicitly for it to be accessible. So what do I say here - just that?
|
This pull request has merge conflicts that must be resolved before it can be merged. |
1 participant
The worker constructor takes a
urlparameter that that can be aTrustedScriptURL. This attempts to follow the pattern of our other trusted types docs and add the header warning and security considerations section.Note this is draft because I am trying to tidy up other inconsistencies with the documentation.
Related project: #41507