Skip to main content

I want to be clear on my plugin community page that my plugin does not use external network resources. However, when I put “none” in the allowedDomains array in my manifest, I get the following error:


Refused to create a worker from 'data:application/javascript,...' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' 'unsafe-eval' figma.com". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.


So, hmm, I guess technically worker scripts are considered external network resources? Though I am loading the worker script block from another script block in my ui.html source. So it’s all local. I don’t know why the plugin runtime considers this an external resource. And there doesn’t appear to be a way to specify such resources.


Sadly, for now, it seems I need to leave my network access as unspecified.


Has anyone else experienced this? Or found a workaround?


Thanks!

Same issue here. Set “allowedDomains” to “*” can fix it. But I think it’s not a good way.

Same issue:


Refused to create a worker from 'blob:null/0d8c3769-84e7-4992-9975-ae7fc5692568' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' 'unsafe-eval' ... Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

The CSP needs worker-src: blob set.


For my use case this was for Monaco Code Editor web workers that are inlined. Inlining workers is pretty much the only way since you can only have one HTML file with your UI. Either that or network access requests…

Hey all,


We’ve just pushed an update that should allow blobs and data URLs now. Could you try setting your networkAccess field to none now?

This appears to work now thanks. Updated my plugins with [“none”]

Reply


Terms & ConditionsCookie settings