Affecting Dedicated workers no longer inherit CSP from parent document unless embedded

Published: | Categories: DOM, Privacy & Security


Firefox 45 has fixed a Content Security Policy (CSP) implementation bug where dedicated workers were erroneously “inheriting” the policy of the parent document when XMLHttpRequest or importScripts was used.

In the meantime, embedded workers do inherit the parent policy, but make sure your Blob has a valid script MIME type such as text/javascript. Otherwise, the default-src directive is applied to the worker instead of script-src, potentially leading to an unexpected CSP error. Yandex.Disk is broken on Firefox 45 due to this restriction.

Update: The issue on Yandex.Disk has been solved by the Yandex team.