[Feature Request]: Support CSP/Chrome Extension Safe Build Without Base64 Blob Worker

[hasgaloyan]

Preflight Checklist

• [x] I have searched the issue tracker for a feature request that matches the one I want to file, without success.

What package is this feature request for?

rrweb

Problem Description

Hi rrweb team, thanks for the great work on rrweb — it’s an amazing tool for session recording.

I’m building a Chrome extension that uses rrweb as a core dependency. However, the extension was rejected from the Chrome Web Store due to a "Red Titanium" violation, which flags base64-encoded scripts that are decoded at runtime (e.g., via atob + Blob + new Worker(...)).

This appears to come from the use of a base64-encoded Web Worker bundled into rrweb's distribution (e.g., rrweb.js, rrweb.umd.cjs, etc.). Chrome reviewers are very strict about this kind of logic, even when it’s harmless, because it makes the code difficult to audit.

❌ Problem Base64-encoded strings with Uint8Array.from(atob(...)) create decoded Blob scripts at runtime.

Chrome Store considers this obfuscation and blocks extensions that use them.

Proposed Solution

✅ Request

Would it be possible to provide A CSP-compliant / Chrome Extension-safe build of rrweb that does not inline the base64 worker?

This would make rrweb immediately usable in extensions and strict CSP environments.

Alternatives Considered

An official build flag or ES module export that uses a separately loaded worker file (e.g., new Worker(chrome.runtime.getURL('rrweb-worker.js'))) is also an option to allow extensions to pass Chrome review.

Additional Information

I found a similar feature request here that didn't have any solution for almost 2 years: https://github.com/rrweb-io/rrweb/issues/1308

Please prioritize this, as extensions are a great way to use rrweb.