PSA: Secure context fix for dedicated workers

Skip to first unread message

Titouan Rigoudy

Mar 2, 2022, 9:41:54 AM3/2/22
to blink-dev

Contact emails



Dedicated workers loaded from a secure (HTTPS) origin yet instantiated by insecure (non-HTTPS) contexts are no longer considered secure. This results in the following web developer facing changes inside such worker contexts: - `self.isSecureContext` is now `false` - `self.caches` and `self.storageFoundation` are no longer available This aligns Blink behavior with the specification and Gecko.

Blink component



Interoperability and Compatibility

Interoperability risk is negative? Gecko is already shipping this behavior. WebKit is not, because it also deviates from the specification. In general, this increases the interoperability of the web platform. Compatibility risk is the main issue here. Usage data from the beta channel shows ~0.08% of page visits potentially affected by this change, which is surprisingly high: Those pages instantiate a worker that is incorrectly classified as secure. This means those workers have access to APIs (`self.caches` and `self.storageFoundation` being the only ones on `WorkerGlobalScope`) that they should not have access to. Note that this overestimates the compatibility risk, since not all such workers actually rely on those APIs. In particular, since Gecko implements the spec correctly, such workers would already not work in that engine.

Gecko: Shipped/Shipping

WebKit: No signal

Web developers: No signals

Other signals:


This change is security-positive.



Is this feature fully tested by web-platform-tests?


Flag name


Requires code in //chrome?


Tracking bug

Estimated milestones

DevTrial on desktop99
DevTrial on android99

Link to entry on the Chrome Platform Status

This intent message was generated by Chrome Platform Status.

Chris Harrelson

Mar 2, 2022, 10:46:16 AM3/2/22
to Titouan Rigoudy, blink-dev
I think this is fine and makes sense to run as a PSA, thanks for sending it. My only ask is to reply again if any site compat bugs are encountered.

You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

Titouan Rigoudy

Mar 2, 2022, 11:01:25 AM3/2/22
to Chris Harrelson, blink-dev
Will do! I'll post back here if we run into trouble.

Reply all
Reply to author
0 new messages