I'm having trouble getting new Function
to work in a Web Worker. I have an HTML page that spawns a Web Worker. This Web Worker executes code through new Function(str)
. I'm trying to use this in a packaged Chrome app, which requires a page using eval
-like code to be explicitly listed as a sandboxed page in the manifest.
Now, there are two options:
new Function
, but I cannot spawn a Web Worker because I cannot make any requests (the sandboxed page has a unique origin). new Worker(...)
throws a SECURITY_ERR
.
new Function
works in sandboxnew Worker
fails in sandbox due to unique originnew Function
because it isn't sandboxed. new Function(...)
throws an EvalError
complaining about the use of it.
new Function
fails in non-sandbox due to being eval
-likenew Worker
works in non-sandboxMy CSP is as follows:
sandbox allow-scripts script-src 'self' 'unsafe-eval'; object-src 'self'
What can I do to get new Function
working in a Web Worker?
There's a technique called inline workers, I would suggest using that.
This is described with example code on the HTML5 rocks site in their WebWorkers tutorial. This way you could list the site as sandboxed, but since there's no need to do external requests, it should work in sandboxed mode as well.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With