Cannot load cross-origin workers
Reported by
a...@scirra.com,
Jun 15 2017
|
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3131.0 Safari/537.36 Steps to reproduce the problem: 1. Create cross-origin worker What is the expected behavior? Respecting CORS like all other web resources What went wrong? DOMException: Failed to construct 'Worker': Script at 'https://downloads.scirra.com/c3-nwjs/worker.js' cannot be accessed from origin 'https://www.scirra.com'. Did this work before? No Does this work in other browsers? No Creating a cross-origin Worker fails. Try here: https://www.scirra.com/labs/worker-cors.html This doesn't seem to work in any browser, but why isn't it supported? The worker script is served with Access-Control-Allow-Origin: * but it seems Chrome doesn't even start a network request for it. Chrome version: 61.0.3131.0 Channel: canary OS Version: 10.0 Flash Version:
,
Jun 16 2017
ash@ Could you please help us with sample html test case and expected/actual behavior for further triage. Thank You...
,
Jun 16 2017
I already provided this link: https://www.scirra.com/labs/worker-cors.html It should simply log "Hello from worker" to the console. Instead it throws an error without even requesting the script.
,
Jun 16 2017
Thank you for providing more feedback. Adding requester "kkaluri@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 19 2017
mkwst: do you know if this is (still) intentional? I don't see exactly where the spec disallows this. The closest I see is a non-normative note that "Any same-origin URL (including blob: URLs) can be used." https://html.spec.whatwg.org/multipage/workers.html#dom-worker One probably needs to follow the URL parser steps and see what happens when the base is a different origin from the input.
,
Jun 19 2017
falken@: For classic workers, this is the expected behavior. See step 1 of https://html.spec.whatwg.org/#fetch-a-classic-worker-script where the fetch mode is set to `same-origin`. As the issue notes, other browsers have the same behavior. I'm flipping this from a bug to a feature request. I don't have any fundamental problem with loosening this restriction for classic workers, but doing so will require auditing the various points at which Blink assumes that a worker will be same-origin (things like CSP inheritance, script errors, etc come to mind). It'll also require actually defining the properties of the global object in the context we create. Does it execute in the embedder's origin? In the origin of the script object? If folks are willing to do the spec work and infrastructure work, I think we could get on board for `new Worker`. I'm less enthusiastic about cross-origin `SharedWorker` and `ServiceWorker`, as I think we'd need to think through the implications more seriously.
,
Jun 19 2017
Thanks for the info mkwst. nhiroki: Would ES6 module support for workers affect this? I assume instead of the "fetch a classic script" we'll "fetch a module worker script graph" and I don't immediately see the 'same-origin' restriction there.
,
Jun 19 2018
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 22 2018
Spec authors reached a consensus not to support cross-origin classic/module workers for now. See https://github.com/whatwg/html/pull/3656#issuecomment-392974408 and issues linked there. Please file a spec issue if there is a use case of cross-origin workers. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by a...@scirra.com
, Jun 15 2017