worker-src

The worker-src directive specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. This directive helps control which sources can be used to load workers, ensuring security while enabling necessary functionality.

Recommended Values

  • 'self' Allows the resource to be loaded and executed

  • https://subdomain.domain.com

Recommended worker-src configuration

Content-Security-Policy: worker-src 'self' https://example.com;

Tips & Tricks

  • If this directive is absent, the user agent will look for the child-src directive (which falls back to the default-src directive)

  • Don't use unsafe-x values or broad keywords like 'data:' 'blob:' 'http:' 'https:' as it may introduce security vulnerabilities.

Example Configurations

Example policy allowing same origin and specific external site

Content-Security-Policy: worker-src 'self' https://example.com;

Allowed

<!-- allowed by 'self' -->
<script>
  var worker = new Worker('/js/worker.js');
</script>

<!-- allowed by https://example.com -->
<script>
  var sharedWorker = new SharedWorker('https://example.com/shared-worker.js');
</script>

<!-- allowed by 'self' -->
<script>
  navigator.serviceWorker.register('/service-worker.js');
</script>

Blocked

<!-- blocked as data: URI is not allowed -->
<script>
  var blockedWorker = new Worker("data:application/JavaScript, ...");
</script>

<!-- blocked as https://malicious.website.com is not in the allowed sources -->
<script>
  blockedWorker = new SharedWorker("https://malicious.website.com/");
</script>

<!-- blocked as https://malicious.website.com is not in the allowed sources -->
<script>
  navigator.serviceWorker.register('https://malicious.website.com/sw.js');
</script>

Additional Information

  • The worker-src directive controls the sources for JavaScript workers
  • It applies to Web Workers, Shared Workers, and Service Workers
  • When not specified, it falls back to child-src, then to default-src
  • Helps prevent unauthorized worker scripts from being loaded

Related Resources

External Articles

Related Documentation Sections