According to the current version of the spec (https://w3c.github.io/webappsec-csp/#changes-from-level-2), the loading of workers will be subject to script-src if the policy doesn't explicitly set worker-src.
Many policies don't explicitly set worker-src, which is fine for most whitelist-based policies because workers which match the script-src whitelist will still be allowed (or the developer can expand script-src to cover the locations of such workers). For policies based on 'strict-dynamic', however, the script-src whitelist gets ignored which means that the application cannot create new workers (at least without adding worker-src to the policy which can be undesirable for other reasons).
To address this we should allow code such as new Worker(...) to allow the loading of arbitrary resources if the worker policy contains 'strict-dynamic'; this is consistent with the behavior of other non-parser-based APIs such as document.createElement which allow the loading of all scripts.
Similarly, once we're executing a worker, if the policy governing the worker contains script-src 'strict-dynamic' we should bless importScripts() and allow it to load arbitrary worker scripts.
According to the current version of the spec (https://w3c.github.io/webappsec-csp/#changes-from-level-2), the loading of workers will be subject to script-src if the policy doesn't explicitly set worker-src.
Many policies don't explicitly set worker-src, which is fine for most whitelist-based policies because workers which match the script-src whitelist will still be allowed (or the developer can expand script-src to cover the locations of such workers). For policies based on 'strict-dynamic', however, the script-src whitelist gets ignored which means that the application cannot create new workers (at least without adding worker-src to the policy which can be undesirable for other reasons).
To address this we should allow code such as
new Worker(...)to allow the loading of arbitrary resources if the worker policy contains 'strict-dynamic'; this is consistent with the behavior of other non-parser-based APIs such asdocument.createElementwhich allow the loading of all scripts.Similarly, once we're executing a worker, if the policy governing the worker contains script-src 'strict-dynamic' we should bless importScripts() and allow it to load arbitrary worker scripts.