Enable 'new Function' in a Web Worker with CSP

Question

I'm having trouble getting new Function to work in a Web Worker. I have an HTML page that spawns a Web Worker. This Web Worker executes code through new Function(str). I'm trying to use this in a packaged Chrome app, which requires a page using eval-like code to be explicitly listed as a sandboxed page in the manifest.

Now, there are two options:

• Do list the page to be sandboxed. If I do so, I can use new Function, but I cannot spawn a Web Worker because I cannot make any requests (the sandboxed page has a unique origin). new Worker(...) throws a SECURITY_ERR.
  • new Function works in sandbox
  • new Worker fails in sandbox due to unique origin
• Don't list the page to be sandboxed. If I do so, I can spawn a Web Worker, but the worker cannot use new Function because it isn't sandboxed. new Function(...) throws an EvalError complaining about the use of it.
  • new Function fails in non-sandbox due to being eval-like
  • new Worker works in non-sandbox

My CSP is as follows:

sandbox allow-scripts script-src 'self' 'unsafe-eval'; object-src 'self'

What can I do to get new Function working in a Web Worker?

Answer 1

There's a technique called inline workers, I would suggest using that.

• Create a Blob object that contains the source code for the worker
• Convert it to a "dataurl"
• Instantiate the worker with this dataurl

This is described with example code on the HTML5 rocks site in their WebWorkers tutorial. This way you could list the site as sandboxed, but since there's no need to do external requests, it should work in sandboxed mode as well.