fix(ui): add 'self' to worker-src for our angular worker

[imnotjames]

Description

this allows the angular service worker to operate in a production environment

Changes

• adds worker-src self

Summary by CodeRabbit

• Chores
  • Updated Content-Security-Policy configuration to allow same-origin web workers alongside blob workers.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: e2fae3da-dc22-4eea-943d-9dc111d364ae

📥 Commits

Reviewing files that changed from the base of the PR and between 79455ff and 0bf5e83.

📒 Files selected for processing (1)

• frontend/src/index.html

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Test Suite / Backend Tests
• GitHub Check: Test Suite / Frontend Tests
• GitHub Check: Analyze (actions)
• GitHub Check: Analyze (java-kotlin)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Frontend Lint Threshold Check

🧰 Additional context used

📓 Path-based instructions (2)

frontend/src/**/*.{ts,tsx,html,scss}

📄 CodeRabbit inference engine (AGENTS.md)

Use 2-space indentation in TypeScript, HTML, and SCSS in frontend code

Files:

• frontend/src/index.html

frontend/src/**/*.{ts,tsx,html}

📄 CodeRabbit inference engine (AGENTS.md)

frontend/src/**/*.{ts,tsx,html}: Follow frontend/eslint.config.js: component selectors use app-, directive selectors use app, and any is disallowed in frontend code
Put user-facing strings in Transloco files under frontend/src/i18n/

Files:

• frontend/src/index.html

🧠 Learnings (2)

📓 Common learnings

Learnt from: imnotjames
Repo: grimmory-tools/grimmory PR: 848
File: frontend/src/index.html:9-9
Timestamp: 2026-04-25T02:36:26.141Z
Learning: In the grimmory project (`frontend/src/index.html`), adding broad CSP directives like `default-src 'self'` with targeted overrides breaks the application. The CSP must be kept minimal and targeted to the actual resource needs of the app. Avoid recommending broad defense-in-depth CSP additions for this project.

📚 Learning: 2026-04-25T02:36:26.141Z

Learnt from: imnotjames
Repo: grimmory-tools/grimmory PR: 848
File: frontend/src/index.html:9-9
Timestamp: 2026-04-25T02:36:26.141Z
Learning: In the grimmory project (`frontend/src/index.html`), adding broad CSP directives like `default-src 'self'` with targeted overrides breaks the application. The CSP must be kept minimal and targeted to the actual resource needs of the app. Avoid recommending broad defense-in-depth CSP additions for this project.

Applied to files:

• frontend/src/index.html

🔇 Additional comments (1)

frontend/src/index.html (1)

9-9: Good CSP fix for Angular service worker compatibility.

Line 9 correctly adds 'self' to worker-src while keeping the directive narrow ('self' blob:), which should allow ngsw-worker.js to load in production without broadening CSP unnecessarily.

Based on learnings: “The CSP must be kept minimal and targeted to the actual resource needs of the app.”

---

📝 Walkthrough

Walkthrough

The Content-Security-Policy meta tag in the frontend's HTML file was updated to permit workers from both the same origin and blob URLs. The worker-src directive now explicitly allows 'self' alongside the existing blob: permission.

Changes

Cohort / File(s)	Summary
CSP Configuration frontend/src/index.html	Modified worker-src directive in Content-Security-Policy meta tag to allow both same-origin workers ('self') and blob workers (blob:), expanding worker sourcing options.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

frontend, enhancement

Poem

🐰 A worker can now hop both ways,
From self-sourced paths and blob-y bays,
The CSP opens wide its door,
Same-origin workers wage their war,
Security and freedom, hand in paw! 🔒✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title follows conventional commit format with 'fix' type and clear scope about the Angular worker CSP change.
Description check	✅ Passed	The description includes the required Description and Changes sections explaining the CSP modification purpose and specific action taken.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[imnotjames]

As this is considered an ongoing incident I am using my authority to merge this as part of that without review. I'm in voice with Ally & we're in agreement.