Affecting Loading cross-origin worker now fires error event instead of throwing; worker in sandboxed iframe no longer allowed

Published: | Categories: DOM, Privacy & Security


As part of the HTML5 standard compliance, Firefox 45 has changed the way how to internally load a Web worker script. There are 2 backward compatiblity issues you should know.

Previously, Firefox was throwing a SecurityError immediately when attempting to load a cross-origin worker script with the Worker constructor. On Firefox 45 and later, a generic error event will be asynchronously fired once a new Worker instance is created, according to the latest spec. In order to deal with both cases, you have to use the worker’s onerror handler along with a try-catch statement:

try {
  var worker = new Worker(url);
  worker.addEventListener('error', function (event) {
    // Error: Failed to load script (nsresult = 0x805303f4)
    // Prevent the event from bubbling
    // Handle the cross-origin load error for newer browsers
} catch (ex) {
  // SecurityError
  // Handle the cross-origin load error for older browsers

Mozilla’s PDF.js library is currently broken in cross-origin environments such as CDNs because it lacks the onerror handler for the worker and the fallback function will never get called.

Update: PDF.js version 1.4.187 has fixed the issue. You can download the latest pre-built version from the pdfjs-dist repository until a new release is available on the pdf.js repository. You can also build it yourself.

Firefox 45 has also solved an implementation bug where the browser was incorrectly allowing a worker to be loaded in an <iframe> with the sandbox attribute. Such code now leads to an error as above, because the document in a sandboxed iframe has a unique origin that won’t match anything, while worker scripts are required to be same-origin. The workaround here is adding allow-same-origin to the sandbox value, though it’s not recommended due to the loosened protection.