Data URL web worker loses security context

I am creating a web worker using a data URL in a local html file. The file has a secure context but the worker does not. Specs say they should be the same. Have I messed up, is the spec wrong or chromium browsers? Here is code demonstrating the error.

<!DOCTYPE html><html><head><title>Worker Security Flaw?</title>
<meta charset="UTF-8"><script>
function main(){
  out.textContent= 'window.isSecureContext= '+isSecureContext;
  let worker= new Worker('data:text/javascript,onmessage= function(e){postMessage({flag:isSecureContext});};');
  worker.onmessage= function(e){out.textContent+= ', worker.isSecureContext= '+e.data.flag;};
  worker.postMessage({});
}
</script></head>
<body onload=main();><output id="out"></output></body></html>

Upvotes: 1

Answers (2)

DharmaTurtle

Reputation: 8467

This was fixed in Chrome and Firefox in April 2023.

Relevant spec discussion: https://github.com/w3c/webappsec-secure-contexts/issues/69

Upvotes: 1

eiffie

Reputation: 46

There is a work around using blobs.

let blb=new Blob(['onmessage=function(e){postMessage({flag:isSecureContext});};'], {type: 'text/javascript'});
let worker=new Worker(URL.createObjectURL(blb));

This works as the spec calls out giving the worker the same security context as the opener.

Upvotes: 1

Data URL web worker loses security context

Answers (2)

Related Questions