Web workers are not working in lightning container due to SalesForce's CSP

Question

I'm trying to use web workers in lightning component. Using them in lightning component directly fails due to LockerService. Another option of using them inside the newly available lightning: container fails due to CSP rules. Don't know if it matters but I'm using a patch org and developing a managed packed.

The issue I'm getting is:

Refused to create a worker from 'blob:https://xxxx.container.lightning.com/0487b8bd-d72f-4859-a0b7-0b2608a108c0' because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension: https://zzzz.net *.na55.visual.force.com https://ssl.gstatic.com/accessibility/ 'nonce-yyyy'". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

I've created a manifest.json file inside the resource with the following content according to the following documentation:

{

  "landing-pages" : [

    {

      "path": "index.html",

      "content-security-policy-type": "custom",

      "content-security-policy": "script-src *;"

    }

  ]

}

It seems that my manifest.json is being ignored. Here is the CSP request that is being sent:

{"csp-report":{"document-uri":"https://xxxx.container.lightning.com/lcc/0000/xxxxx/index.html?sfdcIFrameOrigin=https%3A%2F%2Fxxxx.lightning.force.com","referrer":"https://xxxx.lightning.force.com/","violated-directive":"worker-src","effective-directive":"worker-src","original-policy":"default-src 'self'; script-src  'self' chrome-extension: https://zzzz.net *.na55.visual.force.com https://ssl.gstatic.com/accessibility/ 'nonce-yyyy'; object-src 'self' https://xxxx.na55.content.force.com; style-src 'self' chrome-extension: 'unsafe-inline' *.na55.visual.force.com; img-src 'self' http: https: data: blob: *.na55.visual.force.com; media-src 'self' https://xxxx.na55.content.force.com *.na55.visual.force.com; frame-ancestors https://xxxx.lightning.force.com; frame-src https: mailto: *.na55.visual.force.com; font-src 'self' https: data: *.na55.visual.force.com; connect-src 'self' https://api.bluetail.salesforce.com https://staging.bluetail.salesforce.com https://preprod.bluetail.salesforce.com *.na55.visual.force.com; report-uri /_/csp","disposition":"enforce","blocked-uri":"blob","line-number":1,"column-number":31921,"source-file":"https://xxxx.container.lightning.com/lcc/0000/xxxxx/all.min.js","status-code":0,"script-sample":""}}

I would like to get Web Workers working in SalesForce lightning component, one way or another. Anyone had similar situation?

Answer 1

Webassembly are blocked in Locker service as because if it is allowed, then it is upto salesforce which can guarantee that it should not violate the security rules which is enforced by Locker Service. But, you can use lightning container instead of using Visualforce. Lightning container allows you to create components that can be used in a safe manner in a lightning context.

I hope this will work.

Want to become a Salesforce expert? join this Salesforce Course Online now!!