worker-src
Theworker-src
directive specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. This directive helps control which sources can be used to load workers, ensuring security while enabling necessary functionality.
Recommended Values
'self' Allows the resource to be loaded and executed
https://subdomain.domain.com
Recommended worker-src configuration
Content-Security-Policy: worker-src 'self' https://example.com;
Tips & Tricks
If this directive is absent, the user agent will look for the child-src directive (which falls back to the default-src directive)
Don't use unsafe-x values or broad keywords like 'data:' 'blob:' 'http:' 'https:' as it may introduce security vulnerabilities.
Example Configurations
Example policy allowing same origin and specific external site
Content-Security-Policy: worker-src 'self' https://example.com;
Allowed
<!-- allowed by 'self' -->
<script>
var worker = new Worker('/js/worker.js');
</script>
<!-- allowed by https://example.com -->
<script>
var sharedWorker = new SharedWorker('https://example.com/shared-worker.js');
</script>
<!-- allowed by 'self' -->
<script>
navigator.serviceWorker.register('/service-worker.js');
</script>
Blocked
<!-- blocked as data: URI is not allowed -->
<script>
var blockedWorker = new Worker("data:application/JavaScript, ...");
</script>
<!-- blocked as https://malicious.website.com is not in the allowed sources -->
<script>
blockedWorker = new SharedWorker("https://malicious.website.com/");
</script>
<!-- blocked as https://malicious.website.com is not in the allowed sources -->
<script>
navigator.serviceWorker.register('https://malicious.website.com/sw.js');
</script>
Additional Information
- The
worker-src
directive controls the sources for JavaScript workers - It applies to Web Workers, Shared Workers, and Service Workers
- When not specified, it falls back to
child-src
, then todefault-src
- Helps prevent unauthorized worker scripts from being loaded