Description
Hey, I stumbled upon a similar issue as #1 (This document requires 'TrustedScriptURL' assignment.) for websites that leverage web workers. It seems that Chrome isn't using the default policy as a fallback in case strings are passed to importScripts() resulting in errors since the CSP enforces trusted types.
The minimal POC to reproduce this is:
index.html
<!doctype html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">
</head>
<body>
<script>
trustedTypes.createPolicy('default', {
createHTML: string => string,
createScript: string => string,
createScriptURL: string => string
});
var worker = new Worker("script1.js");
</script>
script1.js
console.log('hi, from script1.js');
importScripts('script2.js');
script2.js
console.log('hi, from script2.js');
Here's a live version http://165.227.165.4/web-worker-trusted-types/index.html
I couldn't find much information regarding this behaviour, however, my gut feeling tells me this might be a bug in Chrome, but I'm not too familiar with web workers (and how they work with trusted types). Just thought that I'll mention it here if others run into it (not sure there is anything the extension could do in these cases).