Closed weizman closed 1 year ago
if disallowing creation of URL object in Web Workers the way Snow does in https://github.com/LavaMoat/snow/pull/89 prevents your application from running correctly, please share so in this thread so we can discuss the problem and understand how to best deal with it
Working on #88 to improve Blobs handling, I realized that my fix attempt reopens an issue from the past. Back then, the only way we could think of to handle this issue was to block blobs all together. I now realize I might have a different idea of how to handle that past issue.
As linked above, the problem was that a blob URL can be created inside a Worker, where Snow can't reach, and then just pass the created URL back to top using
postMessage
and turn it into an iframe.This is tricky because blob URLs are a unique animal. They are not
about:blank
so they're load is allegedly not sync, but their inner HTML&JS executes before external load events since a blob is a local resource.This is the worst thing that could happen to Snow current arch.
To solve this, I can simply make workers unable to create blobs/url objects in the first place. I can do so because if a worker is created out of a blob, that blob is for sure a JS file, so I can just replace it with my own blob JS file. My replacement will simply run some protection code and afterwards will load the original JS. The other way to load a Worker is from a remote resource of course, but that is out of Snow's scope.