esbuild-wasm: allow web worker instantiation without blobs #4344
Description
Hi, first of all thank you for your work on esbuild!
We are currently trialing using esbuild-wasm inside a web worker in a vite+React website context.
Since the worker is instantiated using the Blob API, we have to allow worker-src 'blob:' in our content security policy, which we would like to avoid but could accept.
However, the worker itself also needs the policy script-src: '[wasm-]unsafe-eval' because of the WebAssembly.instantiate[Streaming] APIs which are used inside the worker code.
Web workers created with a data or blob scheme inherit the CSP of the document that created it. See https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers#content_security_policy
To specify a content security policy for the worker, set a Content-Security-Policy response header for the request which delivered the worker script itself.
The exception to this is if the worker script's origin is a globally unique identifier (for example, if its URL has a scheme of data or blob). In this case, the worker does inherit the CSP of the document or worker that created it.
Thus, the only way for us to use the web worker (that I can see) is to allow script-src: '[wasm-]unsafe-eval' for our entire website.
One way to avoid this would be to instantiate the web worker using a worker script file, one could then allow the necessary CSP headers only for the request which serves this one file instead of globally.
I have a patch that writes the worker source code to a file during build and allows to optionally pass a URL to this file during esbuild.initialize, just like passing the URL to the esbuild.wasm file.
I'd be happy to create a PR for this change if you are at all interested? :)