worker-src
Content-Security-Policy Fetch

Overview

worker-src controls the sources of scripts loaded by Web Workers, Shared Workers, and Service Workers. When omitted it falls back through child-src → script-src → default-src.

Details

Values include 'self', worker-script hosts, and often blob:. Many libraries create workers inline via URL.createObjectURL(new Blob([...])), so allowing blob: is frequently required. Service Workers are same-origin by rule, so 'self' usually suffices, but if a worker uses importScripts() to load extra scripts, those targets may need to be considered under both worker-src (script load) and connect-src (fetch).

Because of the fallback chain, omitting worker-src applies the script-src policy. A strictly nonce-locked script-src can unexpectedly block worker creation, so sites using workers should open worker-src explicitly.

Syntax

Content-Security-Policy: worker-src 'self' blob:

Notes

Related directives