Web worker importScripts violates CSP

[CodeWithOz]

Hi,

I've been using v2.5.1 of this plugin until this week when I upgraded to 4.2.0 and then 4.2.1. However, my app's web workers are no longer working because the CSP is violated everywhere I use importScripts since I switched to 4.x.x. This does not happen when I revert to 2.5.1. This is what the error looks like:

Refused to load the script 'http://localhost:8080/js/proxy.min.js' because it violates the following Content Security Policy directive: "script-src 'self' https://*.stripe.com https://*.pushwoosh.com https://*.googleapis.com 'unsafe-inline'
'unsafe-eval' https://cdnjs.cloudflare.com/ajax/libs/rollbar.js/2.14.4/rollbar.min.js https://*.linkpreview.net
http://*.linkpreview.net https://cdnjs.cloudflare.com/ajax/libs/rollbar.js/2.13.0/rollbar.min.js https://ipinfo.io https://*.algolianet.com https://*.algolia.net".

On v2.5.1 of this plugin I don't get this error and the workers work as expected. This is happening on Android, haven't confirmed on ios. I also use the comlink library to manage the workers.

Cordova: latest (9.x)
Cordova-android: latest from master branch of the cordova-android repo

[jcesarmobile]

can you provide a sample app?

[CodeWithOz]

Not yet, just haven't had the time.

[CodeWithOz]

Okay I have a sample reproduction you can use to see the problem.
Check this CI run. There are 2 artifacts for the 2 versions of this plugin, and you can test the problem by running testWorker('test value') in the dev tools console. With the build containing version 2.5.1 of this plugin, the command will log value from worker: test value in the console i.e. the web worker is working correctly without any CSP problems. But with the build containing version 4.2.1 of this plugin, you will get this error message:

Refused to load the script 'http://localhost:8080/js/proxy.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval'".

At least this is what I get on my end, and that's the same problem happening in the real app. To be clear, the problem isn't with proxy.min.js. It throws the error on the first file that I try to import with importScripts, whether it's proxy.min.js or anything else.

[Mapiac]

Have seen and trying to look at a similar issue.

[CodeWithOz]

Ping 🙋‍♂️ .

[Mapiac]

@jcesarmobile think this would help? GoogleChromeLabs/worker-plugin#36

[jcesarmobile]

looks like you have made changes in the sample app recently and running testWorker('test value') doesn't work, so can't properly reproduce, can you fix the sample app?

[CodeWithOz]

@jcesarmobile sorry I thought I had updated this issue. The problem was that I was using hard-coded paths to the imported scripts, so on version 2.x of the plugin where WKPort is still available, my paths always ended with :8080. Version 4.x removed the port from the default URL, so the hard-coded paths became incorrect. I will create an issue about updating the migration guide from 2.x to 4.x to include the removal of the WKPort option.

[CodeWithOz]

Please see #581, thanks.