Skip to content

Add SecurityPolicyViolationEvent & securitypolicyviolation to WorkerG… #2124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add SecurityPolicyViolationEvent & securitypolicyviolation to WorkerG… #2124

wants to merge 1 commit into from

Conversation

SkyZeroZx
Copy link

@SkyZeroZx SkyZeroZx commented Aug 25, 2025
edited
Loading

Add missing securitypolicyviolation event to WorkerGlobalScope

Summary

This PR adds the missing securitypolicyviolation event API to WorkerGlobalScope in the TypeScript DOM lib generator, completing the CSP violation reporting support for Web Workers.

Specifications Compliance

W3C CSP Level 3: Report Violation
MDN Documentation: WorkerGlobalScope securitypolicyviolation event

Implementation Details

The implementation adds:

interface WorkerGlobalScopeEventMap {
    // ... existing events
    "securitypolicyviolation": SecurityPolicyViolationEvent;
}

interface WorkerGlobalScope extends EventTarget {
    // ... existing properties
    onsecuritypolicyviolation: ((this: WorkerGlobalScope, ev: SecurityPolicyViolationEvent) => any) | null;
}

@github-actions GitHub Actions
Copy link
Contributor

Thanks for the PR!

This section of the codebase is owned by @saschanaz - if they write a comment saying "LGTM" then it will be merged.

@SkyZeroZx SkyZeroZx mentioned this pull request Aug 25, 2025
Open
3 tasks
@SkyZeroZx
Copy link
Author

@microsoft-github-policy-service agree

@saschanaz
Copy link
Contributor

saschanaz commented Aug 25, 2025
edited
Loading

It looks like MDN is wrong, new Worker(URL.createObjectURL(new Blob([`console.log("onsecuritypolicyviolation" in globalThis)`]))) gives false on Firefox and Chrome. Maybe file a bug in MDN?

@SkyZeroZx
Copy link
Author

It looks like MDN is wrong, new Worker(URL.createObjectURL(new Blob([`console.log("onsecuritypolicyviolation" in globalThis)`]))) gives false on Firefox and Chrome. Maybe file a bug in MDN?
Firefox return true for me

image image

Chrome the same
image
image

@saschanaz
Copy link
Contributor

Your code is not exactly running the console.log in worker environment, maybe copypaste my code and try again?

@SkyZeroZx
Copy link
Author

SkyZeroZx commented Aug 27, 2025
edited
Loading

If I misinterpreted it, I just ran it in a sandbox with https/localhost , and the result is false
So it would be an error in the documentation or a bug in the browsers?

@saschanaz
Copy link
Contributor

It is MDN issue, the spec doesn't say it should be available in workers.

@Renegade334
Copy link
Contributor

The issue is with the HTML IDL – see w3c/webappsec-csp#568 for context. The event was removed from the HTML spec but the intent was for the onsecuritypolicyviolation IDL attribute to remain on the relevant interfaces, and it doesn't look like this occurred for WorkerGlobalScope.

@saschanaz
Copy link
Contributor

"could in theory also fire" in the worker. But that did not happen and browsers do not implement it. File a spec bug maybe?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@SkyZeroZx @saschanaz @Renegade334