From e68923fa36a81f74d91228e32fc8bf9c1cfdb1f9 Mon Sep 17 00:00:00 2001
From: Bruno Quaresma <bruno@coder.com>
Date: Tue, 15 Nov 2022 14:02:24 -0300
Subject: [PATCH] fix: Worker security policy (#5093)

---
 site/site.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/site/site.go b/site/site.go
index 379974c820..1d0d65abcf 100644
--- a/site/site.go
+++ b/site/site.go
@@ -251,6 +251,7 @@ const (
 	CSPDirectiveFormAction  = "form-action"
 	CSPDirectiveMediaSrc    = "media-src"
 	CSPFrameAncestors       = "frame-ancestors"
+	CSPDirectiveWorkerSrc   = "worker-src"
 )
 
 func cspHeaders(next http.Handler) http.Handler {
@@ -283,6 +284,8 @@ func cspHeaders(next http.Handler) http.Handler {
 			// Report all violations back to the server to log
 			CSPDirectiveReportURI: {"/api/v2/csp/reports"},
 			CSPFrameAncestors:     {"'none'"},
+			// worker for loading the .tar files on FE using js-untar
+			CSPDirectiveWorkerSrc: {"'self' blob:"},
 
 			// Only scripts can manipulate the dom. This prevents someone from
 			// naming themselves something like '<svg onload="alert(/cross-site-scripting/)" />'.