In my CL to change the default credentials mode for module scripts, I noticed that the way we handle not supporting cross-origin workers of any kind (that is, classic or module) is by having an early fail in AbstractWorker::ResolveURL [1]. We basically throw a DOMException if the worker's URL is cross-origin.

It is true that cross-origin workers of any kind should not be supported, but in the HTML Standard, this is ensured by setting the request's mode to "same-origin", therefore any cross-origin requests will fail, and the Worker's error event will be fired. This is tested [2] (the tests are being refined + extended to module workers), and since Chrome disallows even cross-origin worker construction, Chrome fails the test.

My question: Can we remove AbstractWorker's exception-throwing behavior here? Or is it possible that even attempting to fetch a guaranteed-to-fail cross-origin worker request is insecure enough for us to not be able to budge?

[1]: https://chromium-review.googlesource.com/c/chromium/src/+/1239638/6/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc#120

[2]: https://github.com/web-platform-tests/wpt/pull/13671