discourse

History

David Taylor e7ce1e219e FIX: Allow CDN asset host in worker-src CSP (#40871 ) The media-optimization worker is launched from a same-origin blob: bootstrap that imports the real worker chunk by absolute URL. When assets are served from a CDN, that import is fetched with a worker destination and is therefore checked against worker-src (not script-src), so strict-dynamic does not apply. With only `'self' blob:`, the cross-origin CDN import is blocked: ``` Creating a worker from 'https://cdn/assets/.../entrypoint.digested.js' violates the following Content Security Policy directive: "worker-src 'self' blob:". ``` To fix, we add the asset host to worker-src so the worker chunk can be imported on CDN/S3 deployments. Non-CDN deployments are unchanged ('self' blob:). Unfortunately strict-dynamic is not consistently supported in worker-src. Followup to `a32f09021f`		2026-06-15 10:31:38 +01:00
..
builder.rb	DEV: Remove unused CSP code (#38290 )	2026-03-05 20:19:49 +01:00
default.rb	FIX: Allow CDN asset host in worker-src CSP (#40871 )	2026-06-15 10:31:38 +01:00
extension.rb
middleware.rb