feat: support for hosted token worker

[DJMcK]

Changes

When the SDK is used in combination with a strict Content-Security-Policy (CSP), the policy must include worker-src: blob: which raises a concern of unsafe-eval. This change allows the SDK to be configured to load the worker code from a trusted URL, compliant with the CSP, and allows the user to mitigate the concern.

Todo:

• Just waiting for Fix cypress config for v13 #1209 to land so that we can get e2e coverage of this

References

As defined above, special URL schemes that refer to specific pieces of unique content, such as data:, blob: and filesystem: are excluded from matching a policy of * and must be explicitly listed. Policy authors should note that the content of such URLs is often derived from a response body or execution in a Document context, which may be unsafe. Especially for the default-src and script-src directives, policy authors should be aware that allowing data: URLs is equivalent to unsafe-inline and allowing blob: or filesystem: URLs is equivalent to unsafe-eval.

https://www.w3.org/TR/CSP2/#source-list-guid-matching

Testing

• This change adds unit test coverage
• This change adds integration test coverage
• This change has been tested on the latest version of the platform/language

Checklist

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• All code quality tools/guidelines have been run/followed

[frederikprijck]

Thanks for this, this looks realy good.

The only thing that confuses me a bit is that it looks like we are now distributing a separate file for the worker. How is the user supposed to use this? I assume they need to ensure they take the file from their node_modules, and copy it as-is to their web-server without bundling? Can we add some clarification to the PR? And maybe add something in Examples.md?

It also looks like whoever opts to use the worker by URL, will have two copies of the worker (one in our bundle, one in the separate file), is that accurate and expected?

[DJMcK]

Hey @frederikprijck 👋

I assume they need to ensure they take the file from their node_modules, and copy it as-is to their web-server without bundling?

That's right, or leverage our CDN distribution of the ...worker.production.js file.

There's an effort to explain that to the consumer via the src/global.ts docs.

Tough one to articulate in a few sentences, I'll add something in Examples.md too. Thanks for calling that out!

It also looks like whoever opts to use the worker by URL, will have two copies of the worker (one in our bundle, one in the separate file), is that accurate and expected?

Yeah, that's right. You'd have the bundled auth0-spa-js.production.js which includes the integrated worker code and, if you opt to not use the eval approach, then you'd load the separate auth0-spa-js.worker.production.js.

There's definitely a tradeoff being made between a bit of performance for security when you opt-in to the latter.

[DJMcK]

@frederikprijck I took a pass at an FAQ in 3b234a4. Let me know your thoughts on that draft.

[frederikprijck]

Looks good, but lets add the e2e tests we discussed on slack.

[DJMcK]

• Rebased to get the head on Fix cypress config for v13 #1209 (integration tests fix)
• Added the new integration test for this feature 9044c63