LottieFiles
DotLottieWorker is unsafe for CSP due to blob object usage
Hey team,
We have been running different benchmarks for lottie usage and concluded that we can use lottie in our project only with the worker version.
However, our security team has a limitation in CSP rules that doesn't allow us to add worker-src: blob: (or script-src: blob:) due to usage of blob being equal to unsafe-eval per the specs.
Checking the code, it looks like dotlottie-web generates the worker via blob only: https://github.com/LottieFiles/dotlottie-web/blob/7161eeeddde61588f906907fe2b54de7d59b5586/packages/web/esbuild-plugins/plugin-inline-worker.cjs#L52-L56
Would it be possible to extract the worker to be statically loaded as a separate module? This can allow the usage of a worker url instead. Which hopefully can then be added to CSP to avoid usage of a blob. Bundlers can add the worker via Url (vite). If the worker url is not passed, code can default to blob.
Would this be feasible?
@azaleas Thanks for raising this and for the clear context!
You’re right: our current build inlines the worker via a Blob URL, which means projects with a strict CSP that forbids worker-src blob: (and/or script-src blob:) can’t use it. Supporting a statically served worker is reasonable.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hey @thiagopsnfg, we’re working on this, expect it in an upcoming minor release