Skip to main content
Solved

Local worker script considered external network resource to networkAccess manifest option?


Dustin_Mierau

I want to be clear on my plugin community page that my plugin does not use external network resources. However, when I put “none” in the allowedDomains array in my manifest, I get the following error:

Refused to create a worker from 'data:application/javascript,...' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' 'unsafe-eval' figma.com". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

So, hmm, I guess technically worker scripts are considered external network resources? Though I am loading the worker script block from another script block in my ui.html source. So it’s all local. I don’t know why the plugin runtime considers this an external resource. And there doesn’t appear to be a way to specify such resources.

Sadly, for now, it seems I need to leave my network access as unspecified.

Has anyone else experienced this? Or found a workaround?

Thanks!

Best answer by Akbar_Mirza

Hey all,

We’ve just pushed an update that should allow blobs and data URLs now. Could you try setting your networkAccess field to none now?

View original
This topic has been closed for replies.

4 replies

Yi_Shen
  • 2 replies
  • July 20, 2023

Same issue here. Set “allowedDomains” to “*” can fix it. But I think it’s not a good way.


syntax
  • 2 replies
  • August 1, 2023

Same issue:

Refused to create a worker from 'blob:null/0d8c3769-84e7-4992-9975-ae7fc5692568' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' 'unsafe-eval' ... Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

The CSP needs worker-src: blob set.

For my use case this was for Monaco Code Editor web workers that are inlined. Inlining workers is pretty much the only way since you can only have one HTML file with your UI. Either that or network access requests…


Akbar_Mirza
Figmate
  • Figmate
  • 5 replies
  • Answer
  • August 25, 2023

Hey all,

We’ve just pushed an update that should allow blobs and data URLs now. Could you try setting your networkAccess field to none now?


Dustin_Mierau

This appears to work now thanks. Updated my plugins with [“none”]


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings