← Back to release summary

Fire error event instead of throwing for CSP blocked worker

Category

Security

Type

Chromium catches up

Status

In development (Chrome In development)

Intent stage

None

Summary

When blocked by CSP, Chromium currently throws SecurityError from constructor of Worker and SharedWorker. Spec requires CSP to be checked as part of fetch and fires error event asynchronously instead of throwing exception when script runs "new Worker(url)" or "new SharedWorker(url)". This aims to make Chromium spec conformant, which is not throwing during constructor and fires error event asynchronously.

Motivation

When the url is blocked by Content Security Policy, script code “new Worker(url)” and “new SharedWorker(url)” currently throws exception. According to spec, the CSP check is done as part of fetch which happens asynchronously and the constructor should not throw. Instead an error event should fire after the object is returned. This feature aligns Chromium behavior with spec.

Standards & signals

• Specification: https://www.w3.org/TR/CSP3/#fetch-integration
• Firefox: Shipped/Shipping
• Safari: Shipped/Shipping — Safari has now shipped the change, after signaling support previously in https://github.com/WebKit/standards-positions/issues/451.
• Web developers: No signals
• Tracking bug: https://issues.chromium.org/issues/41285169

View on chromestatus.com