CSP: worker-src

Baseline Widely available

This feature is well established and works across many devices and browser versions. It’s been available across browsers since August 2016.

HTTP Content-Security-Policy(内容安全策略,CSP)中的 worker-src 指令指定了 WorkerSharedWorkerServiceWorker 脚本的有效来源。

CSP 版本 3
指令类型 fetch 指令
回落

如果这个指令不存在,则用户代理在管理 worker 执行时,将首先查找 child-src 指令,然后查找 script-src 指令,最后再查找 default-src 指令。

语法

worker-src 策略可以允许一个或者多个源:

http
Content-Security-Policy: worker-src <source>;
Content-Security-Policy: worker-src <source> <source>;

<source> 可以是 CSP 源值中的任意一个。

请注意,这套相同的值可以用于所有 fetch 指令(以及许多其他的指令)。

示例

违规的案例

给定此 CSP 标头:

http
Content-Security-Policy: worker-src https://example.com/

WorkerSharedWorkerServiceWorker 被阻止,无法加载。

html
<script>
  let blockedWorker = new Worker("data:application/javascript,…");
  blockedWorker = new SharedWorker("https://not-example.com/");
  navigator.serviceWorker.register("https://not-example.com/sw.js");
</script>

规范

Specification
Content Security Policy Level 3
# directive-worker-src

浏览器兼容性

Report problems with this compatibility data on GitHub
desktopmobile
Chrome
Edge
Firefox
Opera
Safari
Chrome Android
Firefox for Android
Opera Android
Safari on iOS
Samsung Internet
WebView Android
WebView on iOS
worker-src

Legend

Tip: you can click/tap on a cell for more information.

Full support
Full support
See implementation notes.

参见