-
Notifications
You must be signed in to change notification settings - Fork 354
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: support for hosted token worker #1208
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this, this looks realy good.
The only thing that confuses me a bit is that it looks like we are now distributing a separate file for the worker. How is the user supposed to use this? I assume they need to ensure they take the file from their node_modules, and copy it as-is to their web-server without bundling? Can we add some clarification to the PR? And maybe add something in Examples.md
?
It also looks like whoever opts to use the worker by URL, will have two copies of the worker (one in our bundle, one in the separate file), is that accurate and expected?
Hey @frederikprijck 👋
That's right, or leverage our CDN distribution of the There's an effort to explain that to the consumer via the Tough one to articulate in a few sentences, I'll add something in
Yeah, that's right. You'd have the bundled There's definitely a tradeoff being made between a bit of performance for security when you opt-in to the latter. |
@frederikprijck I took a pass at an FAQ in 3b234a4. Let me know your thoughts on that draft. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, but lets add the e2e tests we discussed on slack.
When using the SDK in combination with strict Content-Security-Policy (CSP) the policy must include `worker-src: blob:` which raises the concern of `unsafe-eval`. This change allows the SDK to be configured to load the worker code from a trusted URL, compliant with the CSP, and removes the concern.
1691d42
to
9044c63
Compare
|
**Changed** - feat: support for hosted token worker [\#1208](#1208) ([DJMcK](https://github.com/DJMcK))
Changes
When the SDK is used in combination with a strict Content-Security-Policy (CSP), the policy must include
worker-src: blob:
which raises a concern ofunsafe-eval
. This change allows the SDK to be configured to load the worker code from a trusted URL, compliant with the CSP, and allows the user to mitigate the concern.Todo:
References
https://www.w3.org/TR/CSP2/#source-list-guid-matching
Testing
Checklist