I'm having trouble getting new Function to work in a Web Worker. I have an HTML page that spawns a Web Worker. This Web Worker executes code through new Function(str). I'm trying to use this in a packaged Chrome app, which requires a page using eval-like code to be explicitly listed as a sandboxed page in the manifest.
Now, there are two options:
new Function, but I cannot spawn a Web Worker because I cannot make any requests (the sandboxed page has a unique origin). new Worker(...) throws a SECURITY_ERR.
new Function works in sandboxnew Worker fails in sandbox due to unique originnew Function because it isn't sandboxed. new Function(...) throws an EvalError complaining about the use of it.
new Function fails in non-sandbox due to being eval-likenew Worker works in non-sandboxMy CSP is as follows:
sandbox allow-scripts script-src 'self' 'unsafe-eval'; object-src 'self'
What can I do to get new Function working in a Web Worker?
There's a technique called inline workers, I would suggest using that.
This is described with example code on the HTML5 rocks site in their WebWorkers tutorial. This way you could list the site as sandboxed, but since there's no need to do external requests, it should work in sandboxed mode as well.