Skip to main content

Resolving Content Security Policy (CSP) issues for web workers

Vasil Dachev avatar
Written by Vasil Dachev
Updated over a month ago

What's happening?

Your website uses a security feature called Content Security Policy (CSP). This policy acts like a gatekeeper, telling the browser which resources (like scripts, images, and styles) are allowed to load and run on your pages.

Currently, your CSP is configured in a way that prevents a necessary component of our service from running. This component relies on the ability to create and execute Web Workers from blob: URLs. When this is blocked, some parts of our service will not function as expected.

Why is this important?

Allowing the execution of Web Workers from blob: within your CSP is necessary to ensure you have access to all the features our service provides.

How to fix it?

To resolve this, you need to update your website's Content Security Policy to explicitly allow blob: as a valid source for Web Workers. The specific steps will depend on how your website’s CSP is configured. Below are the most common methods:

1. Using an HTTP header

If your CSP is set using an HTTP header, you’ll need to modify the Content-Security-Policy header sent by your server. Look for the worker-src directive. If it’s not present, you’ll need to add it. If it is present, you’ll need to include blob: in the list of allowed sources.

The worker-src directive specifies the valid sources for Web Worker scripts. To allow Web Workers from blob:, add the following:

worker-src 'self' blob:;

  • 'self' allows workers from your own website’s origin.

  • blob: allows the creation and execution of Web Workers from blob: URLs.

Example of a full CSP header (adjust based on your existing policy):

Content-Security-Policy: worker-src 'self' blob:;

2. Using a <meta> tag

If your CSP is defined within an HTML <meta> tag in the <head> section of your pages, you’ll need to modify the content attribute of that tag. Similarly, look for or add the worker-src directive.

Example:

<meta http-equiv="Content-Security-Policy" content="worker-src 'self' blob:;">

Important considerations

  • Ensure that blob: is included in the worker-src directive of your CSP.

  • If your CSP is very strict, review other directives as well to ensure they don't inadvertently block our service.

  • Thoroughly test your website after making any changes to confirm that no other functionalities are affected.

  • If you're unsure how to modify your CSP, contact your website administrator or development team. They’ll be familiar with your configuration and can make these changes safely.

Need more help?

If you're still having trouble or have any questions, please reach out to our support team. We're here to help! When contacting us, please include:

  • Details about how your CSP is configured (e.g., via HTTP header or <meta> tag)

  • Any relevant error messages you're encountering

Did this answer your question?