TrustedTypes: WorkerGlobalScope: importScripts()#42396
Merged
Conversation
8 tasks
Contributor
|
Preview URLs (comment last updated: 2026-01-21 20:22:49) |
1df9d6b to
848dbd0
Compare
hamishwillee
commented
Dec 16, 2025
|
|
||
| {{APIRef("Web Workers API")}}{{AvailableInWorkers("worker")}} | ||
|
|
||
| > [!WARNING] |
Collaborator
Author
There was a problem hiding this comment.
@wbamberg This follows same pattern as the others. The method is used to import (one or more) classic scripts into a classic module.
I have done quite a lot of testing.
- FF will silently fail to load a worker or import a script with UTF-16 encoding. The web prefers UTF8 but the fact this fails silently is irritating, because I assumed my files would default to UTF8.
- Does a BCD note on the worker itself makes sense? Its difficult because UTF8 is strongly recommended so there is no expectation that anyone would set UTF-16.
- Both the initial script and subsequent importScript operation are fetched in no-cors mode.
- This means both same and cross origin requests are not blocked by CORs.
- Cross origin import requests just work unless blocked by CSP or CORP
- The initial script MUST be same-origin with the worker, or a blob or data type.
- You can block the load by having a CORP on the cross-origin file to be loaded.
- However if you add a CSP for the worker-src it seem to be ignored for the nested importScript (though it obeys it for the top level import in that you can set
none.- However CSP of
script-srcis respected.
- However CSP of
Essentially it looks like for this method you can import what you like from wherever you like unless blocked by the server resource policy you are importing from.
FYI, my testing is here https://github.com/hamishwillee/various_webapi_tests/tree/main/classic_worker_import - this uses a caddyfile - caddy allows you to set up a server with headers, https and certificate with no real effort..
Collaborator
Author
There was a problem hiding this comment.
EDIT. This is ready for review.
hamishwillee
commented
Dec 16, 2025
34 tasks
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
hamishwillee
commented
Jan 5, 2026
| If the input is provided by a user, this is a possible vector for [cross-site scripting (XSS)](/en-US/docs/Web/Security/Attacks/XSS) attacks. | ||
|
|
||
| It is extremely risky to accept and execute arbitrary URLs from untrusted origins. | ||
| A website should control what scripts that are allowed to run using a [Content Security Policy (CSP)](/en-US/docs/Web/HTTP/Guides/CSP) with the [`script-src`](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/worker-src) directive (or a fallback defined in [`default-src`](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/default-src)). |
Collaborator
Author
There was a problem hiding this comment.
Note, wierd as it is, script-src, not worker-src for classic workers.
wbamberg
reviewed
Jan 6, 2026
Co-authored-by: wbamberg <will@bootbonnet.ca>
Collaborator
Author
hamishwillee
commented
Jan 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
WorkerGlobalScope.importScripts()takes any number of trusted script URL. parameters. This updates the docs to reflect that the scriptURL can be a trusted type.(it mirrors #42362)
Still working on it - cursed imports.
Related docs work can be tracked in:
document.write()/document.writeln()#37518