Chrome 63 seems to ignore or break on worker-src CSP headers

Question

The Error

I'm developing several apps that use web workers and all of them are kind of broken using the latest Chrome V63.0.3230.132.

This is the error message I see on the console:

[Report Only] Refused to create a worker from 'http://localhost:8080/d04af186322390d53036.worker.js' because it violates the following Content Security Policy directive: "worker-src 'none'".

I've also noticed some other sites behaving the same way.

Apparently, it doesn't matter how one creates that worker. I tried it in a react app using worker-loader, but also in a plain JS demo where I created it manually. The error remains the same.

What I tried

I've got all the CSP headers in place, and also updated my manifest.json files with the correct CSP entry to no avail.

All other browsers are working fine.

Can someone confirm or explain this behavior?

Answer 1

As promised — here are the headers. I was unable to put them as a comment. As you can see I don't have CSP headers explicitly and the only one related to security are x-content-type-options and x-frame-options. That's it. Hope it helps somehow.

content-type: text/html; charset=UTF-8
cache-control: must-revalidate, no-cache, private
x-ua-compatible: IE=edge
content-language: en
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
expires: Sun, 19 Nov 1978 05:00:00 GMT
vary: Accept-Encoding
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 3e91b05aabb05540-ORD
content-encoding: br
x-firefox-spdy: h2