Bug 225716

Summary:

Unable to use 'data:application/javascript' url for Worker

Product:

WebKit

Reporter:

nkronlage

Component:

Platform

Assignee:

youenn fablet <youennf>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

achristensen, cdumez, webkit-bug-importer, youennf

Priority:

Keywords:

InRadar

Version:

Safari Technology Preview

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	none

Description nkronlage 2021-05-12 13:44:47 PDT

Using `new Worker('data:application/javascript,...')` results in 'SecurityError: The operation is insecure.'.

I'm able to create a Worker using a Blob to that same string, so it's not clear why this method is not allowed. 

Chrome and Firefox both allow this.

Live repro: https://jsfiddle.net/3dn86s1h/

Code:

  const code = 'postMessage("foo")';
  const type = 'application/javascript';
  const worker1 = new Worker(URL.createObjectURL(new Blob([code], {
    type
  })));
  worker1.onmessage = function(e) {
    document.body.insertAdjacentHTML('beforeend', 'worker1 returned: ' + e.data + '<br>');
  };

  const worker2 = new Worker(`data:${type},${code}`);
  worker2.onmessage = function(e) {
    document.body.insertAdjacentHTML('beforeend', 'worker2 returned: ' + e.data + '<br>');
  };

Expected:

Document body shows results from both worker 1 and worker 2.

Actual:

Only Worker 1's results show in the body. Worker 2 threw 'SecurityError: The operation is insecure.'

Comment 1 Radar WebKit Bug Importer 2021-05-19 13:45:15 PDT

<rdar://problem/78222538>

Comment 2 youenn fablet 2021-07-05 01:56:39 PDT

Created attachment 432875 [details]
Patch

Comment 3 youenn fablet 2021-07-05 06:38:14 PDT

Created attachment 432880 [details]
Patch

Comment 4 EWS 2021-07-06 12:02:11 PDT

Committed r279602 (239426@main): <https://commits.webkit.org/239426@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 432880 [details].