The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) worker-src directive specifies valid sources for {{domxref("Worker")}}, {{domxref("SharedWorker")}}, or {{domxref("ServiceWorker")}} scripts.
| CSP version | 3 |
|---|---|
| Directive type | {{Glossary("Fetch directive")}} |
| Fallback |
If this directive is absent, the user agent will first look for the {{CSP("child-src")}} directive, then the {{CSP("script-src")}} directive, then finally for the {{CSP("default-src")}} directive, when governing worker execution. Chrome 59 and higher skips the {{CSP("child-src")}} directive. Edge 17 skips the {{CSP("script-src")}} directive (bug). |
One or more sources can be allowed for the worker-src policy:
Content-Security-Policy: worker-src <source>; Content-Security-Policy: worker-src <source> <source>;
{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
Given this CSP header:
Content-Security-Policy: worker-src https://example.com/
{{domxref("Worker")}}, {{domxref("SharedWorker")}}, {{domxref("ServiceWorker")}} are blocked and won't load:
<script>
var blockedWorker = new Worker("data:application/javascript,...");
blockedWorker = new SharedWorker("https://not-example.com/");
navigator.serviceWorker.register('https://not-example.com/sw.js');
</script>
| Specification | Status | Comment |
|---|---|---|
| {{specName("CSP 3.0", "#directive-worker-src", "worker-src")}} | {{Spec2('CSP 3.0')}} | Initial definition. |
{{Compat("http.headers.csp.Content-Security-Policy.worker-src")}}